RDS Database Connections

To comply with HIPAA requirements, AWS requires that connections between clients and databases are encrypted. Amazon RDS database endpoints use SSL certificates that are generated by an internal AWS certificate authority. If you have an EC2 instance in your environment, a certificate authority (CA) bundle is located at /etc/ssl/rds-combined-ca-bundle.pem. This file can be referenced by your preferred database shell client and application-specific database library when connecting to your RDS databases. Otherwise, you can download the appropriate CA file on this page.

MySQL shell example:

mysql -h <RDS database address> \
  --ssl-ca=/etc/ssl/rds-combined-ca-bundle.pem \
  --ssl-mode=VERIFY_CA \
  -u <database username> \
  -p <database name>

PostgreSQL shell example:

psql -h <RDS database address> \
  "dbname=<database name> user=<database username> sslrootcert=/etc/ssl/rds-combined-ca-bundle.pem sslmode=require"

Note: if using an RDS Proxy connection to connect to your RDS database, you do not need to reference a certificate since RDS Proxy encrypts connections by default and uses an internal set of certificates.