Amazon AWS warns certain users to update certificates or face lost connectivity

Published: Friday, 10 January 2020 10:15

Amazon AWS has told users of Amazon Aurora, Amazon Relational Database Service (RDS), or Amazon DocumentDB (with MongoDB compatibility) that are taking advantage of SSL/TLS certificate validation when connecting to database instances that it is necessary to ‘download and install a fresh certificate , rotate the certificate authority (CA) for the instances, and then reboot the instances’.

The action is required because SSL/TLS certificates for RDS, Aurora, and Amazon DocumentDB expire and are replaced every five years as part of Amazon AWS’s standard maintenance and security discipline.

The deadline date for refreshing SSL/TLS certificate for these services is March 5, 2020 when the CA-2015 certificates will expire. Amazon AWS says that applications that use certificate validation but have not updated their certificates will lose connectivity after this date.

Kevin Bocek, VP security strategy and threat intelligence, Venafi commented:

“In the cloud, the difference between you, another business or an attacker can be just a TLS certificate that acts as a machine identity.

“Unfortunately, even businesses that have cloud first initiatives are not prepared to tackle the challenges of managing and protecting machine identities. This is becoming a major problem because many organisations use multiple clouds to conduct business, which can involve hundreds, or even thousands, of machine identities. 

“Amazon AWS is urgently notifying customers of some of their most popular database services that they’re responsible for changing out some of their machine identities or face being locked out. This is just one more reason why it’s not optional for businesses to have complete visibility over all the machine identities they use and the automation to change them out fast. This is the only way to make sure the business can protect themselves in and out of the cloud.”

More details.