Skip to content

Docs around SSL support for RDS #635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
quetzalliwrites merged 3 commits into from
May 12, 2026
Merged

Docs around SSL support for RDS #635

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9c948db
Docs around SSL support for RDS
HarshCasper May 6, 2026
4f61b85
Update src/content/docs/aws/services/rds.mdx
HarshCasper May 11, 2026
ac86302
fix comments
HarshCasper May 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions src/content/docs/aws/services/rds.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,44 @@ You can now connect to the database utilizing the user you generated and the tok
PGPASSWORD=$TOKEN psql -d $DB_NAME -U myiam -w -p $PORT -h $HOST
```

## SSL/TLS Support

LocalStack's RDS PostgreSQL emulation supports SSL/TLS-encrypted client connections, so you can test applications that require `sslmode=require` (or stricter modes) the same way they would connect to AWS RDS.
Copy link
Copy Markdown
Member

@cloutierMat cloutierMat May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not currently support stricter mode

SSL/TLS support is currently available for the `postgres` engine.

### Connect using SSL

Once your DB instance is running, request an encrypted connection from any PostgreSQL client by passing the `sslmode` parameter.
With `psql`:

```bash
PGPASSWORD=$MASTER_PW psql "host=$HOST port=$PORT dbname=$DB_NAME user=$MASTER_USER sslmode=require"
```

The DB instance uses a self-signed certificate, so clients that pin certificate authorities (`sslmode=verify-ca` or `sslmode=verify-full`) will need to disable certificate verification or supply their own trust anchors.
Copy link
Copy Markdown
Member

@cloutierMat cloutierMat May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sslmode=verify-ca or sslmode=verify-full currently not supported


### Force SSL connections

To require every client to connect over SSL, set the `rds.force_ssl` parameter on a DB parameter group and associate it with your instance:

```bash
awslocal rds create-db-parameter-group \
--db-parameter-group-name force-ssl \
--db-parameter-group-family postgres17 \
--description "Force SSL connections"

awslocal rds modify-db-parameter-group \
--db-parameter-group-name force-ssl \
--parameters "ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot"
```

Pass `--db-parameter-group-name force-ssl` when creating the DB instance, or attach the parameter group to an existing instance and reboot it.
Setting `rds.force_ssl=0` disables the SSL requirement, allowing clients to connect with `sslmode=disable`.
Copy link
Copy Markdown
Member

@cloutierMat cloutierMat May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not support this. Currently SSL is always enabled (like in AWS), but never enforced (force-ssl=1 is ignored)


:::note
The `pg_stat_ssl` view always reports `ssl = false`, even when the client connection is encrypted.
:::
Comment thread
HarshCasper marked this conversation as resolved.

## Global Database Support

LocalStack extends support for [Aurora Global Database](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database.html) with certain limitations:
Expand Down