New Information from AWS related to Amazon RDS CA Update.
Hello,
You are receiving this message because you have one or more Amazon RDS database instances that require attention in the ap-southeast-1 Region. For these instances, you still need to update your Amazon RDS certificate authority (CA) certificate before the old certificate expires on March 5, 2020. See the 'Affected resources' tab in your Personal Health Dashboard for a list of instances.
In this notification, we provide important new information about your Amazon RDS certificate authority (CA) certificate updates. We are sending this information to help make your certificate updates simpler and to give you more control over the update process.
As previously communicated, the current CA expires on March 5, 2020, requiring updates to all client applications and database instances that connect using Secure Sockets Layer (SSL)/Transport Layer Security (TLS) with certificate verification. Client applications must add new CA certificates to their trust stores, including root and intermediate certificates where necessary. RDS database instances must separately use new server certificates before this hard expiration date. If you've missed previous communications on this subject, see this Database Blog post for more information [1].
Important new information follows:
Previously, we had communicated that between February 5 and March 5, 2020, RDS would automatically stage the new certificates on RDS database instances without a restart. Based on customer feedback and to give you as much time as possible to complete your updates, RDS will not stage and will not update your database certificates automatically ahead of March 5, 2020. This means that you will be able to use the full time until March 5, 2020 to update your applications and databases to use the new CA certificates.
For applications that use SSL/TLS with certificate verification, there is no change in what you need to do. You will still need to update your applications' trust stores and the certificates on your databases prior to March 5, 2020, following the detailed instructions included in the links below. As a best practice, we strongly recommend that you complete your updates prior to February 28, 2020 to leave time for your own testing and deployments.
If your applications do not connect to your databases using SSL/TLS with certificate verification, you are not impacted. However, if you plan to use SSL/TLS with certificate verification in the future, you will need to update your database certificates ahead of doing so. Please view our instructions on updating database certificates for RDS databases [2] and Amazon Aurora databases [3].
We encourage you to test these steps in a development or staging environment before implementing them in your production environments.
If you have questions or issues, contact AWS Support [4].
[1] https://aws.amazon.com/blogs/database/amazon-rds-customers-update-your-ssl-tls-certificates-by-february-5-2020/
[2] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
[3] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html
[4] https://aws.amazon.com/support
Sincerely,
Amazon Web Services
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210
---
Reference: https://phd.aws.amazon.com/phd/home#/event-log?Event%20ARN=arn:aws:health:ap-southeast-1::event/RDS/AWS_RDS_SECURITY_NOTIFICATION/AWS_RDS_SECURITY_NOTIFICATION_a1a1abb4-1b43-4c42-9db6-3708dd936d9d&eventID=arn:aws:health:ap-southeast-1::event/RDS/AWS_RDS_SECURITY_NOTIFICATION/AWS_RDS_SECURITY_NOTIFICATION_a1a1abb4-1b43-4c42-9db6-3708dd936d9d&eventTab=details&layout=vertical