AWS Database Blog

Customizing security parameters on Amazon RDS for SQL Server

You can now use database (DB) parameters to configure security protocols and ciphers on Amazon RDS for SQL Server. You can configure various security protocols and ciphers available for your RDS SQL Server instance. You can also choose to enable or disable certain TLS versions or ciphers, such as RC4 stream cipher, based on your security and application requirements. For more information about ciphers, see Configuring Security Protocols and Ciphers. For more information about securing your connections to RDS SQL Server, see Using SSL/TLS to Encrypt a Connection to a DB Instance.

This post describes how to configure these settings with the use case of disabling TLS 1.0, 1.1, and RC4 stream cipher. For more information about DB parameter groups, see Working with DB Parameter Groups.

When completing this walkthrough, keep in mind that if the client used to connect to the RDS SQL Server instance isn’t compatible with latest TLS versions, the following changes may cause outages for your application.

Creating a custom DB parameter group

If your database instance already has a custom parameter group and you want to reuse it, you can skip this step.

  1. On the Amazon RDS console, choose Parameter groups.
  2. Choose Create parameter group.
  3. For Parameter group family, choose the respective value for your target instance, such as sqlserver-se-13.0.
  4. For Group name, enter an identifier for the parameter group, such as sqlserver-ciphers-se-13.
  5. For Description, enter a description for this parameter group, such as Custom security parameters for SQL Server SE 13.
  6. Choose Create.

Alternatively, you can enter commands in the AWS Command Line Interface (AWS CLI).

For Linux, macOS, or Unix, enter the following code:

aws rds create-db-parameter-group  --db-parameter-group-name sqlserver-ciphers-se-13 \
 --db-parameter-group-family "sqlserver-se-13.0" \
 --description "Parameter group for security protocols and ciphers"

For Windows, enter the following code:

aws rds create-db-parameter-group  --db-parameter-group-name sqlserver-ciphers-se-13 ^
 --db-parameter-group-family "sqlserver-se-13.0" ^
 --description "Parameter group for security protocols and ciphers"

Modifying security-related parameters

To modify the security parameters, complete the following steps:

  1. On the Amazon RDS console, choose Parameter groups.
  2. Select the desired parameter group (for this post, sqlserver-ciphers-se-13).
  3. In the Parameters section, filter the parameter list by rds.
  4. Choose Edit parameters.
  5. On the parameter rds.tls10, choose disabled from the Values drop-down menu.
  6. Repeat these steps to set the values of rds.tls11 and rds.rc4 to disabled.
  7. Choose Save changes.

If you would like to force connections to your DB instance to use SSL, you can change the rds.force_ssl parameter to 1. For more information, see Using SSL with a Microsoft SQL Server DB Instance.

Alternatively, you can use the AWS CLI.

For Linux, macOS, or Unix, enter the following code:

aws rds modify-db-parameter-group 
--db-parameter-group-name sqlserver-ciphers-se-13 \
 --parameters "ParameterName='rds.tls10',ParameterValue='disabled',ApplyMethod=pending-reboot" \
"ParameterName='rds.tls11',ParameterValue='disabled',ApplyMethod=pending-reboot" \
"ParameterName='rds.rc4',ParameterValue='disabled',ApplyMethod=pending-reboot"

For Windows, enter the following code:

aws rds modify-db-parameter-group 
--db-parameter-group-name sqlserver-ciphers-se-13 ^
--parameters "ParameterName='rds.tls10',ParameterValue='disabled',ApplyMethod=pending-reboot" ^
"ParameterName='rds.tls11',ParameterValue='disabled',ApplyMethod=pending-reboot" ^
"ParameterName='rds.rc4',ParameterValue='disabled',ApplyMethod=pending-reboot"

Associating the custom parameter group with your DB instance

To associate your new parameter group with your DB instance, complete the following steps:

  1. On the Amazon RDS console, choose Databases.
  2. Select the DB instance that you want to modify.
  3. Choose Modify.
  4. In the Database options section, choose the custom DB parameter group you modified (for this post, sqlserver-ciphers-se-13).
  5. Choose Continue to view the summary of modifications.
  6. On the confirmation page, review your changes and choose Modify DB Instance.

You may see your DB parameter group immediately associated to your DB instance even if you choose to defer your changes. However, because all the security parameters are static parameters, any modifications you make to the DB parameters aren’t effective until your instance is rebooted. For more information about rebooting, see Rebooting a DB Instance.

Alternatively, you can use the AWS CLI.

For Linux, macOS, or Unix, enter the following code:

aws rds modify-db-instance  --db-instance-identifier mydbinstance \
--db-parameter-group-name sqlserver-ciphers-se-13 \
--apply-immediately

For Windows, enter the following code:

aws rds modify-db-instance  --db-instance-identifier mydbinstance ^
--db-parameter-group-name sqlserver-ciphers-se-13 ^
--apply-immediately

Connecting to the RDS instance specifying the TLS version

As mentioned in the previous section, a reboot is necessary for the security parameters change to take effect. For instructions, see Rebooting a DB Instance. Use the Configuration section of the RDS instance to check the parameter group status. Make sure the parameter group status on your instance is in-sync before validating any changes you have made.

If the client used to connect to SQL Server allows you to specify the JDBC URL for the connection, you can use the sslProtocol parameter to specify the desired TLS version.

In your client, set the connection URL to the following:

jdbc:sqlserver://<Your DB Endpoint>:<Your DB Port>;sslProtocol=TLSv1.2

If your client allows testing the connection, you should receive a success message by selecting that option. Otherwise, connect to the database and make a simple query, such as:

Select 1;

Change the connection URL to the following:

jdbc:sqlserver://<Your DB Endpoint>:<Your DB Port>;sslProtocol=TLSv1

Test connection again. This time it should fail because the client can’t establish a secure connection to the RDS SQL Server instance.

Parameter restrictions

Your parameters have the following restrictions:

  • tls10, rds.tls11 – If your database version is 11.00.5058.0, modifying these two parameters doesn’t have any effect. This is because TLS 1.2 isn’t supported on this engine version; if you disable older versions of TLS, you can’t establish TLS connections to your instance.
  • tls12 – This parameter can’t be disabled because it’s used by Amazon RDS internally.
  • curve25519 This parameter isn’t supported for all engine versions. Please use the latest minor versions for the desired SQL Server major version.

Summary

This post showed you how to use DB parameters to improve the degree of security of your RDS SQL Server instance. For more information about DB parameter groups, see Working with DB Parameter Groups. For more information about encrypting your connection, see Using SSL/TLS to Encrypt a Connection to a DB Instance and Configuring Security Protocols and Ciphers. Try out these parameters today on the AWS Management Console, and share your thoughts and experiences in the comments.

 


About the Authors

 

Amir Firouz is a Software Development Engineer at Amazon Web Services.

 

 

 

 

Juliana Franca Motira is a Software Development Engineer at Amazon Web Services.