Interview › Databases & Caching
How do you enforce encryption in transit (SSL/TLS) to RDS?
Databases & Caching · Basic level
Answer
Encryption in transit is enforced by requiring TLS from clients and configuring the engine to reject non-TLS connections where supported. For PostgreSQL on RDS, rds.force_ssl plus client sslmode settings are common. For MySQL, require SSL for users and trust the RDS CA bundle.
Technical explanation
At-rest encryption and in-transit encryption solve different problems and both are expected for sensitive workloads.
Clients should verify the server certificate, not just turn on encryption without validation.
CA rotation must be planned because old clients may fail if trust stores are stale.
Hands-on example
PostgreSQL TLS validation:
$ psql "host=orders.xxxxxx.us-east-1.rds.amazonaws.com dbname=orders user=app sslmode=verify-full sslrootcert=/etc/ssl/rds-ca.pem"
SELECT ssl, version, cipher FROM pg_stat_ssl WHERE pid = pg_backend_pid();
Expected: ssl = true with an approved TLS version/cipher.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Databases & Caching interview questions
- What is Amazon RDS, and what does it manage for you versus self-managed databases?
- What database engines does RDS support?
- What is the difference between RDS and Aurora?
- What is Multi-AZ in RDS, and how does automatic failover work?
- How long does an RDS Multi-AZ failover typically take, and what triggers it?
- What is the difference between Multi-AZ and a read replica?
- When would you use a read replica, and can it become a standalone database?
- Can a read replica be in a different region, and why would you do that?