Skip to content

Use Aurora MySQL Version With TLS 1.1/1.2 Support

Description

Transport Layer Security (TLS), and the earlier Secure Sockets Layer (SSL), are encryption protocols that enable secure connections between endpoints. Any release prior to TLS 1.2 is deprecated, and does not meet current security standards.

The main benefits of TLS 1.2 and TLS 1.3 are: * Stronger encryption algorithms are available. * PCI compliance. To be PCI-compliant, organizations must disable Secure Sockets Layer (SSL), TLS 1.0, and TLS 1.1 on applicable connections.

Amazon Aurora MySQL DB clusters support Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections from applications using the same process and public key as RDS for MySQL DB instances. Unfortunately, versions of Aurora MySQL 5.6 prior to 1.23.1 don’t support TLS 1.2, as stated in the Amazon Aurora User Guide.

Rationale

Use a more recent version of Aurora which supports TLS 1.1/1.2. This will allow you to encrypt your communication channels using more robust cipher suites.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type cluster
secureclouddb/engine mysql

Default Rule

const { isNewerVersion } = module
const { isAwsRdsCluster } = aws

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if database instance version is greater than 5.6
 */
function validate(databaseSettings) {
    let success = isAwsRdsCluster(databaseSettings) &&
                    !!databaseSettings.awsDatabaseInstance.rdsCluster.engineVersion

    if(!success) return { success }

    const versionParts = databaseSettings.awsDatabaseInstance.rdsCluster.engineVersion.split('.mysql_aurora.')

    // Invalid version
    if(versionParts.length != 2) return { success: false }

    const mySqlVersion = versionParts[0]
    const auroraVersion = versionParts[1]

    if(mySqlVersion === '5.6' && !isNewerVersion(auroraVersion, '1.23.1'))  {
        success = false
    }

    return {
        success,
    }
}

// invoke
validate(databaseSettings);