Postgresql – Force PostgreSQL clients to use SSL on Amazon RDS

amazon-rdspostgresqlssl

I'm running a PostgreSQL 9.4.x instance on Amazon RDS. I can successfully connect to that server using SSL using a command line similar to this one:

psql "host=x.y.z.rds.amazonaws.com dbname=aaa user=bbb sslmode=verify-full"

How can I force clients to use SSL (to make eavesdropping harder)? The following should fail to connect:

psql "host=x.y.z.rds.amazonaws.com dbname=aaa user=bbb sslmode=disable"

As far as I can tell, on Amazon RDS you can't edit pg_hba.conf, so I can't put hostssl entries in there.

This AWS blog post suggests how it could be done with MySQL, but I can't find links to similar information for PostgreSQL.

My motivation is to prevent myself (or other users) from accidentally transmitting sensitive information unencrypted across the network.

Best Answer

Looks like this has finally been added. From the docs:

You can use the rds.force_ssl parameter to force connections to your PostgreSQL database to use SSL. The default value is 0 (off). When you set this parameter to 1 (on) and restart your instance, your database will refuse any non-SSL connections. This parameter also sets the PostgreSQL parameter ssl to on as well as modifies your instance's pg_hba.conf to support this SSL configuration.

Related Question