AWS-DocumentDB-instance-certificates-rotated

Owned by naveen
Nov 19, 2021
1 min read

Severity: Medium

Description: This control checks for Latest CA Certificate. This is control ensure that your DocumentDB is using the latest version of Amazon Root CA i.e 2019. Using an expired SSL certificate is equally vulnerable as of using plain TCP connection.

Remediation Steps:

Perform following to update DocumentDB certificates:

  1. Step 1: Download the new CA

    1. Download the new CA certificate and update your application to use the new CA certificate to create TLS connections to Amazon DocumentDB. Download the new CA certificate bundle from: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem. This operation downloads a file named rds-combined-ca-bundle.pem.

      wget https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem



  2. Step 2 : Update the server certificate

    1. Login to the AWS Management Console at https://console.aws.amazon.com.

    2. Navigate to DocumentDB console.

    3. From the list of regions in the upper right of the screen, choose the region in which cluster(s) reside.

    4. Select Certificate maintenance. If a cluster that requires the server certificate to be updated, will have a red badge next to Certificate maintenance with a number indicating the number of clusters that need to be upgraded.

    5. The resulting Pending Certificate Maintenance Available page lists the clusters that need server certificate updates. Select a cluster to update.

    6. Choose Schedule to upgrade certificate in the next maintenance window or choose Apply now to upgrade certificate immediately.

    7. Once all of the cluster(s) in the account, for a given region, have been updated to use the latest TLS certificate, green badge appear on the left-hand side of the console under Certificate maintenance.

Important:

  • Latest CA certificate Reported by Amazon: rds-ca-2019.

  •  Applying the maintenance to your cluster(s) will require that the instances are rebooted, which may cause service disruption

Reference:

https://docs.aws.amazon.com/documentdb/latest/developerguide/ca-cert-rotation.html

Blue Hexagon Proprietary