Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cloudquery): Verify RDS SSL certificate #161

Merged
merged 1 commit into from
Apr 5, 2023
Merged

feat(cloudquery): Verify RDS SSL certificate #161

merged 1 commit into from
Apr 5, 2023

Conversation

akash1810
Copy link
Member

@akash1810 akash1810 commented Apr 3, 2023
edited
Loading

What does this change?

Verify the full SSL certificate on the RDS connection.

To achieve this, we download and add the signing certificate authority (CA) to the OS trust store. This means the CA is trusted OS wide.

An alternative to this could be to set the sslrootcert value in the postgres connection string. Opted against that because it means we have to remember a file path, which is fragile. For example, when we move to an AMIgo recipe, we'd need to ensure these two paths line up, and stay in sync.

Why?

Security!

From https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html:

You can use Secure Socket Layer (SSL) or Transport Layer Security (TLS) from your application to encrypt a connection to a DB instance running MariaDB, Microsoft SQL Server, MySQL, Oracle, or PostgreSQL.

SSL/TLS connections provide one layer of security by encrypting data that moves between your client and a DB instance. Using a server certificate provides an extra layer of security by validating that the connection is being made to an Amazon RDS DB instance. It does so by checking the server certificate that is automatically installed on all DB instances that you provision.

How has it been verified?

  • Deploy it (done)
  • Start cloudquery (sudo systemctl start cloudquery)
  • Observe the logs showing postgres is being written to (sudo journalctl -f -u cloudquery OR look in Central ELK)

akash1810
akash1810 commented Apr 3, 2023
View reviewed changes
packages/cdk/lib/cloudquery.ts
Comment on lines +151 to +153
// Install RDS certificate
'curl https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem -o /usr/local/share/ca-certificates/rds-ca-2019-root.crt',
'update-ca-certificates',
Copy link
Member Author

@akash1810 akash1810 Apr 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followed instructions from https://superuser.com/a/719047 to add the CA to the OS.

Copy link
Member Author

@akash1810 akash1810 Apr 4, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rds-ca-2019 certificate authority expires in 2024, and does not support automatic rotation, meaning we'll have to perform the rotation manually (with potential downtime).

We should move to the rds-ca-rsa2048-g1 CA, which does support automatic rotation.

See:

Copy link
Contributor

@NovemberTang NovemberTang Apr 5, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we have a ticket planned to do this migration?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we have a ticket planned to do this migration?

Not (yet) on trello, but we do have guardian/cdk#1786.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created the Trello card now - https://trello.com/c/gqPcnFh7.

@akash1810 akash1810 marked this pull request as ready for review April 3, 2023 19:25
@akash1810 akash1810 requested review from a team as code owners April 3, 2023 19:25
@akash1810 akash1810 force-pushed the aa/cloudquery-ssl branch from 746e7b5 to ea918c0 Compare April 4, 2023 06:03
@akash1810 akash1810 enabled auto-merge April 5, 2023 07:58
@NovemberTang NovemberTang disabled auto-merge April 5, 2023 09:32
@akash1810 akash1810 enabled auto-merge April 5, 2023 09:39
@akash1810 akash1810 disabled auto-merge April 5, 2023 09:39
@akash1810
feat(cloudquery): Verify RDS SSL certificate
a5a389a 
Validate the SSL certificate on the RDS connection.
To achieve this, we download and add the certificate to the OS trust store.
@akash1810 akash1810 force-pushed the aa/cloudquery-ssl branch from 44beff9 to a5a389a Compare April 5, 2023 09:40
@akash1810 akash1810 enabled auto-merge April 5, 2023 09:41
@akash1810 akash1810 merged commit b5afd11 into main Apr 5, 2023
@akash1810 akash1810 deleted the aa/cloudquery-ssl branch April 5, 2023 09:44
@akash1810 akash1810 mentioned this pull request May 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NovemberTang NovemberTang NovemberTang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akash1810 @NovemberTang