AWS Logo
Menu

Secure JDBC connection to an RDS Database

This article describe how to establish a secure connection through jdbc from a client application to the RDS Database applying best practices from security prospective.

rdsjdbcsecure
Gianluca Valerio
Published Feb 9, 2025
Last Modified Feb 10, 2025
I found that will be useful to show how an external system (not owner of the Database) must configure their jdbc connection to the database in order to get a secure channel that fit most of the security guidelines of many clients.
Primary security criteria that will be applied adopting the instruction in this article are: not storing database username and password in the client applications; ensuring rotation of the password through an AWS policy; encrypt the channel between the client and the server;
I usually consider this kind of approach:
  1. Pre-requisite:
    1. Create a Secret in AWS Secrets linked to the AWS RDS DB. This secret will have a policy for rotation of the secret every xx days.
    2. Create/Configure a IAM user for M2M connection or adopt security credentials from IAM Roles Anywhere
    3. Attach IAM Policy to the user/role to have required privileges.
    4. Configure the Database user associated with the secret to get its required permission (for example give access to a specific table, schema, etc.).
    5. Extract the RDS certificate for ensuring encryption of the communication.
  2. Client Component:
    1. Test access to the AWS secret.
    2. Retrieve password from the secret.
    3. Establish a jdbc secure connection.
More or less this is the diagram that show the flow of integration:
JDBC Connection
JDBC Access
Let's start....
Create a IAM User has this type of form:
Create User M2M
Create User M2M
User shouldn't have permission to access the console
Create User set group
Create User set group
Create a AWS Secret in AWS has this type of form:
Secret Creation
Secret Creation
Require username/password/encryption key/database id.
In second page will prompt for:
Configure Secret
Configure Secret
In the last step it will require to configure the policy for rotation:
Rotation Policy and Lambda Function
Rotation Policy and Lambda Function
After that the Secret will be available in AWS and your IAM user should receive permission to that resource.
Another approach is to use IAM roles anywhere to get temporary security credentials through a certificate that validate the caller application (link).
After that retrieve from the database the setup of the Certificate that is usually generated by AWS you can find more or less all the info in this article: link.
Now that IAM M2M user is created, that you have your own secret and you have the certificate here is some code sample that you can use to make the jdbc connections:
  • How to retrieve secret: link
  • How to connect to an RDS via secret: link.
     

Comments