Easily update all your AWS RDS CA Certificates
You guys have probably noticed this warning at the top of your RDS page in the AWS Console.
While it is fairly trivial to update all the CA certificates via the console it is really not ideal if you have a large amount of RDS instances running. With some shell parsing and aws cli you can update all of them in a matter of minutes.
Requirements.
Code to run
NOTE: This will require a reboot as it uses the apply immediately tag. If you can not have downtime in your environment you should run the maintenance cycle flag or wait until a defined maintenance window to run this.
While it is fairly trivial to update all the CA certificates via the console it is really not ideal if you have a large amount of RDS instances running. With some shell parsing and aws cli you can update all of them in a matter of minutes.
Requirements.
- Have AWS CLI installed. If you don't have it look at amazon documentation here to install
- An AWS admin account (or appropriate permissions to modify RDS instances)
- Corresponding AWS profile set up with your account keys
Code to run
for i in $(aws rds describe-db-instances --profile=dev --region=us-east-1 | grep -i DBInstanceIdentifier | awk '{print $2}' | tr -cd "'[:alnum:]\-_+ \n");
do
aws rds modify-db-instance --db-instance-identifier $i --ca-certificate-identifier rds-ca-2019 --apply-immediately --profile=pl-dev --region=us-east-1;
done
NOTE: This will require a reboot as it uses the apply immediately tag. If you can not have downtime in your environment you should run the maintenance cycle flag or wait until a defined maintenance window to run this.