Skip to content

Docs around SSL support for RDS #635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
HarshCasper wants to merge 1 commit into
base: main
Choose a base branch
from
+38 −0
Open

Docs around SSL support for RDS #635

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions src/content/docs/aws/services/rds.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,44 @@ You can now connect to the database utilizing the user you generated and the tok
PGPASSWORD=$TOKEN psql -d $DB_NAME -U myiam -w -p $PORT -h $HOST
```

## SSL/TLS Support

LocalStack's RDS PostgreSQL emulation supports SSL/TLS-encrypted client connections, so you can test applications that require `sslmode=require` (or stricter modes) the same way they would connect to AWS RDS.
Copy link
Copy Markdown
Member

@cloutierMat cloutierMat May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not currently support stricter mode

SSL/TLS support is currently available for the `postgres` engine.

### Connect using SSL

Once your DB instance is running, request an encrypted connection from any PostgreSQL client by passing the `sslmode` parameter.
With `psql`:

```bash
PGPASSWORD=$MASTER_PW psql "host=$HOST port=$PORT dbname=$DB_NAME user=$MASTER_USER sslmode=require"
```

The DB instance uses a self-signed certificate, so clients that pin certificate authorities (`sslmode=verify-ca` or `sslmode=verify-full`) will need to disable certificate verification or supply their own trust anchors.
Copy link
Copy Markdown
Member

@cloutierMat cloutierMat May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sslmode=verify-ca or sslmode=verify-full currently not supported


### Force SSL connections

To require every client to connect over SSL, set the `rds.force_ssl` parameter on a DB parameter group and associate it with your instance:

```bash
awslocal rds create-db-parameter-group \
--db-parameter-group-name force-ssl \
--db-parameter-group-family postgres17 \
--description "Force SSL connections"

awslocal rds modify-db-parameter-group \
--db-parameter-group-name force-ssl \
--parameters "ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot"
```

Pass `--db-parameter-group-name force-ssl` when creating the DB instance, or attach the parameter group to an existing instance and reboot it.
Setting `rds.force_ssl=0` disables the SSL requirement, allowing clients to connect with `sslmode=disable`.
Comment on lines +314 to +330
Copy link
Copy Markdown
Member

@cloutierMat cloutierMat May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not support this. Currently SSL is always enabled (like in AWS), but never enforced (force-ssl=1 is ignored)


:::note
The `pg_stat_ssl` view always reports `ssl = false`, even when the client connection is encrypted.
:::
Comment on lines +332 to +334
Copy link
Copy Markdown
Member

@cloutierMat cloutierMat May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could enhance this note with the technical reason why it won't?

Suggested change
:::note
The `pg_stat_ssl` view always reports `ssl = false`, even when the client connection is encrypted.
:::
:::note
As we are terminating the SSL connection at the proxy, the PostgreSQL `pg_stat_ssl` view always reports `ssl = false`, even when the client connection is encrypted.
:::


## Global Database Support

LocalStack extends support for [Aurora Global Database](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database.html) with certain limitations:
Expand Down