Configuring security protocols and ciphers - Amazon Relational Database Service
Creating the security-related parameter groupModifying security-related parametersAssociating the security-related parameter group with your DB instance
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring security protocols and ciphers

You can turn certain security protocols and ciphers on and off using DB parameters. The security parameters that you can configure (except for TLS version 1.2) are shown in the following table.

For parameters other than rds.fips, the value of default means that the operating system default value is used, whether it is enabled or disabled.

Note

You can't disable TLS 1.2, because Amazon RDS uses it internally.

DB parameter Allowed values (default in bold) Description
rds.tls10 default, enabled, disabled TLS 1.0.
rds.tls11 default, enabled, disabled TLS 1.1.
rds.tls12 default TLS 1.2. You can't modify this value.
rds.fips 0, 1

When you set the parameter to 1, RDS forces the use of modules that are compliant with the Federal Information Processing Standard (FIPS) 140-2 standard.

For more information, see Use SQL Server 2016 in FIPS 140-2-compliant mode in the Microsoft documentation.

Note

You must reboot the DB instance after the modification to make it effective.
rds.rc4 default, enabled, disabled RC4 stream cipher.
rds.diffie-hellman default, enabled, disabled Diffie-Hellman key-exchange encryption.
rds.diffie-hellman-min-key-bit-length default, 1024, 2048, 4096 Minimum bit length for Diffie-Hellman keys.
rds.curve25519 default, enabled, disabled Curve25519 elliptic-curve encryption cipher. This parameter isn't supported for all engine versions.
rds.3des168 default, enabled, disabled Triple Data Encryption Standard (DES) encryption cipher with a 168-bit key length.
Note

For more information on the default values for SQL Server security protocols and ciphers, see Protocols in TLS/SSL (Schannel SSP) and Cipher Suites in TLS/SSL (Schannel SSP) in the Microsoft documentation.

Use the following process to configure the security protocols and ciphers:

  1. Create a custom DB parameter group.

  2. Modify the parameters in the parameter group.

  3. Associate the DB parameter group with your DB instance.

For more information on DB parameter groups, see Working with parameter groups.

Creating the security-related parameter group

Create a parameter group for your security-related parameters that corresponds to the SQL Server edition and version of your DB instance.

The following procedure creates a parameter group for SQL Server Standard Edition 2016.

To create the parameter group

  1. Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at https://console.amazonaws.cn/rds/.

  2. In the navigation pane, choose Parameter groups.

  3. Choose Create parameter group.

  4. In the Create parameter group pane, do the following:

    1. For Parameter group family, choose sqlserver-se-13.0.

    2. For Group name, enter an identifier for the parameter group, such as sqlserver-ciphers-se-13.

    3. For Description, enter Parameter group for security protocols and ciphers.

  5. Choose Create.

The following procedure creates a parameter group for SQL Server Standard Edition 2016.

To create the parameter group

  • Run one of the following commands.

    For Linux, macOS, or Unix:

    aws rds create-db-parameter-group \
    --db-parameter-group-name sqlserver-ciphers-se-13 \
    --db-parameter-group-family "sqlserver-se-13.0" \
    --description "Parameter group for security protocols and ciphers"

    For Windows:

    aws rds create-db-parameter-group ^
    --db-parameter-group-name sqlserver-ciphers-se-13 ^
    --db-parameter-group-family "sqlserver-se-13.0" ^
    --description "Parameter group for security protocols and ciphers"

Modifying security-related parameters

Modify the security-related parameters in the parameter group that corresponds to the SQL Server edition and version of your DB instance.

The following procedure modifies the parameter group that you created for SQL Server Standard Edition 2016. This example turns off TLS version 1.0.

To modify the parameter group

  1. Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at https://console.amazonaws.cn/rds/.

  2. In the navigation pane, choose Parameter groups.

  3. Choose the parameter group, such as sqlserver-ciphers-se-13.

  4. Under Parameters, filter the parameter list for rds.

  5. Choose Edit parameters.

  6. Choose rds.tls10.

  7. For Values, choose disabled.

  8. Choose Save changes.

The following procedure modifies the parameter group that you created for SQL Server Standard Edition 2016. This example turns off TLS version 1.0.

To modify the parameter group

  • Run one of the following commands.

    For Linux, macOS, or Unix:

    aws rds modify-db-parameter-group \
    --db-parameter-group-name sqlserver-ciphers-se-13 \
    --parameters "ParameterName='rds.tls10',ParameterValue='disabled',ApplyMethod=pending-reboot"

    For Windows:

    aws rds modify-db-parameter-group ^
    --db-parameter-group-name sqlserver-ciphers-se-13 ^
    --parameters "ParameterName='rds.tls10',ParameterValue='disabled',ApplyMethod=pending-reboot"

Associating the security-related parameter group with your DB instance

To associate the parameter group with your DB instance, use the Amazon Web Services Management Console or the Amazon CLI.

You can associate the parameter group with a new or existing DB instance:

You can associate the parameter group with a new or existing DB instance.

To create a DB instance with the parameter group

  • Specify the same DB engine type and major version as you used when creating the parameter group.

    For Linux, macOS, or Unix:

    aws rds create-db-instance \
    --db-instance-identifier mydbinstance \
    --db-instance-class db.m5.2xlarge \
    --engine sqlserver-se \
    --engine-version 13.00.5426.0.v1 \
    --allocated-storage 100 \
    --master-user-password secret123 \
    --master-username admin \
    --storage-type gp2 \
    --license-model li \
    --db-parameter-group-name sqlserver-ciphers-se-13

    For Windows:

    aws rds create-db-instance ^
    --db-instance-identifier mydbinstance ^
    --db-instance-class db.m5.2xlarge ^
    --engine sqlserver-se ^
    --engine-version 13.00.5426.0.v1 ^
    --allocated-storage 100 ^
    --master-user-password secret123 ^
    --master-username admin ^
    --storage-type gp2 ^
    --license-model li ^
    --db-parameter-group-name sqlserver-ciphers-se-13
    Note

    Specify a password other than the prompt shown here as a security best practice.

To modify a DB instance and associate the parameter group

  • Run one of the following commands.

    For Linux, macOS, or Unix:

    aws rds modify-db-instance \
    --db-instance-identifier mydbinstance \
    --db-parameter-group-name sqlserver-ciphers-se-13 \
    --apply-immediately

    For Windows:

    aws rds modify-db-instance ^
    --db-instance-identifier mydbinstance ^
    --db-parameter-group-name sqlserver-ciphers-se-13 ^
    --apply-immediately