HiveBrain v1.2.0
Get Started
← Back to all entries
patternMinor

AWS RDS Postgres pg_hba.conf auth-method

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
confauthpostgresmethodpg_hbaawsrds

Problem

I'm starting to use Amazon Web Service's Relational Database Server product (AWS RDS) and want to confirm I have not made a security blunder.

My configuration:

  • Postgres



  • Publicly accessible



  • Inbound rule on security group added for "PostgreSQL / My IP"



These options enable me to use pgAdmin to connect and populate data. I've tried to determine the auth-method used in AWS RDS Postgres without success.

Am I transmitting my password in clear text when I connect with pgAdmin?

Edit:

I'm starting to think my fears are warranted. This is what I've learned:

  • Directions for Using SSL with PostgreSQL DB Instance suggests it's not the default



  • The 'SSL' option in my pgAdmin connection properties has no options (prob'ly because I haven't setup certificates)

Solution

From what I can gather, SSL is usually being used. What varies is the level to which server certificates are verified.

Reading the guide from Amazon is helpful albeit lengthy.

Things to remember...

-
To determine if SSL is on (apparently this requires a plugin but works by default on AWS RDS):


show ssl;

-
There is a ~/.pgpass file that automatically supplies passwords when using psql (this confused me for a while)

  • Full server certificate verification (requires the root cert from AWS):




$ psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser sslrootcert=rds-ca-2015-root.pem sslmode=verify-full"

-
SSL is still on with this command however (no sslmode,sslrootcert):


$ psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser"

-
This will not connect because root cert is not supplied:


$ psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser sslmode=verify-full"

-
I never established a non-SSL connection however it is possible to prevent non-SSL connections to a DB instance with a parameter on the server: rds.force_ssl

Context

StackExchange Database Administrators Q#174625, answer score: 2

Revisions (0)

No revisions yet.