To protect data from being viewed by unintended parties, we can use connection encryption between the client application and the RDS DB instance. Encryption is available in all AWS regions and for all the DB types supported by AWS RDS. In this chapter we will see how encryption is enabled for MSSQL Server.
There are two ways to enable encryption.
Force SSL for all connections — this happens transparently to the client, and the client doesn't have to do any work to use SSL.
Encrypt specific connections — this sets up an SSL connection from a specific client computer, and you must do work on the client to encrypt connections.
In this approach we force all the connections form the DB client to use SSL. This is done by using the rds.force_ssl parameter. Set the rds.force_ssl parameter to true to force connections to use SSL. As it is a static parameter, we must reboot your DB instance for the change to take effect. The below diagram shows how to reset the value by visiting the DB parameters settings page to set the value for rds.force_ssl parameter.
We can encrypt connections from specific client computers only to the RDS DB Instance. In order to do this, we need to install certificate on the client computer. Below are the steps to install the certificate.
Download the certificate to the client computer from here .
Follow the path Windows -> Run -> type MMC and enter. It opens the following window.
In the Add or Remove Snap-ins dialog box, for Available snap-ins, select Certificates, and then choose Add.
Follow the Path Computer Account -> Local Computer -> Finish.
In the MMC console, expand Certificates, open the context (right-click) menu for Trusted Root Certification Authorities, choose All Tasks, and then choose Import.
Select the .pem file downloaded in the previous step and finish the import wizard by choosing the default values and clicking next.
We can see the certificate installed as below.
When connecting to AWS RDS MSSQL Db instance using SSMS, expand the options tab and choose Encrypt connection.
Now the client connection to RDS from this computer will be encrypted.