Amazon Web Service (AWS) has warned the users of its Aurora, DocumentDB and RDS database services that their applications based on these services will not run after 14 January unless they download and install new SSL/TLS certificates.
"If you are using Amazon Aurora, Amazon Relational Database Service (RDS), or Amazon DocumentDB (with MongoDB compatibility) and are taking advantage of SSL/TLS certificate validation when you connect to your database instances, you need to download and install a fresh certificate, rotate the certificate authority (CA) for the instances, and then reboot the instances," AWS chief evangelist Jeff Barr wrote in a blog post.
"If you are not using SSL/TLS connections or certificate validation, you do not need to make any updates, but I recommend that you do so in order to be ready in case you decide to use SSL/TLS connections in the future. In this case, you can use a new CLI option that rotates and stages the new certificates but avoids a restart."
The new certificate (CA-2019) is available as part of a certificate bundle that also includes the old certificate (CA-2015) so that you can make a smooth transition without getting into a chicken and egg situation, said the blog post.
RDS will stage install new certificates on existing instances between 5 February and 5 March. Restarting the instance will activate the certificate. The CA-2015 certificates will expire on 5 March. Applications that use certificate validation but have not been updated will lose connectivity.
Although this is a cyclical product update, it has serious security implications, Outpost24 cloud security director Sergio Loureiro told SC Media UK.
"The certificates are used to authenticate the servers and clients. So when I connect to Amazon Aurora, Aurora will send me a certificate showing that it is really Aurora. For this you check the name and the signature by the CA (and date). To verify the signature I need the certificate of the CA. The certificate validation is the foundation of the security of SSL/TLS."
Failing to do so will let a fake Aurora site impersonate the real one and the company could end up sending their data to a fake site. The process is just like a browser validating the certificate when we connect to our banking website with HTTPS, he explained.
"In the cloud, the difference between you, another business or an attacker can be just a TLS certificate that acts as a machine identity," commented Kevin Bocek, VP security strategy and threat intelligence, Venafi.
"Unfortunately, even businesses that have cloud first initiatives are not prepared to tackle the challenges of managing and protecting machine identities. This is becoming a major problem because many organisations use multiple clouds to conduct business, which can involve hundreds, or even thousands, of machine identities."
"Security teams need to keep track of the expiration dates of the certificates they manage and use. It is important to rotate certificates and there is no easy way of doing it," said Loureiro.
This is a regular task that businesses need to handle. There is no security risk, but comes with a downtime business risk that can be anticipated, prepared and reduced, he said.
"Actually AWS doing the rotation every five years can be considered long by security standards," he added.