Rails 5.0 and AWS Aurora / Amazon RDS with SSL

We have an AWS based HIPAA compliant High Availability cluster running with Aurora as a DB. Our cluster was configured with terraform managed with Kubernetes. We use Docker to build our images.

One of the final steps in securing our app is to encrypt traffic between the rails dynos and the DB. Documentation is scattered at best and largely absent for the Rails 5.0.0 part.

And we’re off. According to AWS documentation:

Amazon Aurora DB clusters support Secure Sockets Layer (SSL) connections from applications using the same process and public key as Amazon RDS MySQL DB instances.

Awesome. AWS manages encryption on the server side so we don’t need to mess with generating CA files. All we need to do from the client side is to connect with:

1. — ssl-ca to specify a path to a file identical to the server’s .pem file; and
2. — ssl-verify-server-cert or other mechanism to force a SSL connection.

From the MySQL documentation on Client-Side Configuration for Secure Connections:

--ssl-ca identifies the Certificate Authority (CA) certificate. This option, if used, must specify the same certificate used by the server.

--ssl-mode=mode

This option is available only for client programs, not the server. It specifies the security state of the connection to the server:

If this option is not specified, the default is to establish an unencrypted connection. This is like the --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).

If this option is specified, the only permitted value is REQUIRED (establish a secure connection if the server supports secure connections). The connection attempt fails if a secure connection cannot be established.

SSL Certificate

The public key is stored at https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem.

There are several ways of making the .pem file available. We chose to add it to the image.

Dockerfile

ADD https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem /aurora/rds-combined-ca-bundle.pem

database.yml

Rails doesn’t seem to support — ssl-verify-server-cert. We’ll use — ssl-mode=“REQUIRED” instead.

Set sslca to the absolute path where the AWS Aurora CA certs are located:

default: &default
  database: <%= ENV['DB_NAME'] %>
  host: <%= ENV['DB_HOST'] %>
  password: <%= ENV['DB_PASSWORD'] %>
  username: <%= ENV['DB_USERNAME'] %>
  sslmode: 'REQUIRED'
  sslca: /aurora/rds-combined-ca-bundle.pem

Rebuild the image with the changed files and deploy.

Verify

Jack in to a dyno. Example (this will be different depending on your setup):

kubectl exec -it rails-console -c rails-console — /bin/bash

Fire up the rails console and see if the connection is using SSL:

ActiveRecord::Base.connection.conn.execute(“SHOW STATUS LIKE ‘%Ssl_cipher%’;”).each { |r| puts r }

Should give you something like:

[[“Ssl_cipher”, “DHE-RSA-AES256-SHA”], [“Ssl_cipher_list”, “AES256-SHA:AES128-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:ADH-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ADH-RC4-MD5”]]

There you go! Voila.