How to Establish a Secure Connection (SSL) from a Node.js API to an AWS RDS

One of the requirements to be HIPAA compliant is to ensure that all the communication between the application components is performed in a secure manner.

The backend application that needed to be HIPPA compliant was composed of:

• A Node.js API running in a Docker container within an AWS EC2 machine
• An Elastic Load Balancer that was exposing the API over HTTPS
• An RDS Database that the API was using

The communication between the ELB and the API was being done over HTTPS. But the API was accessing the database over HTTP.

Problem

We need to ensure that all application components are using encryption for communication between them

Solution

We can establish an SSL connection with each RDS database type( Amazon Aurora, MySQL, PostgreSQL, etc). In this guide, we will show the steps to connect over SSL to a PostgreSQL RDS DB from a Node.js application running on EC2.

SSL support is available in all AWS regions for PostgreSQL. Amazon RDS creates an SSL certificate for your PostgreSQL DB instance when the instance is created. If we enable SSL certificate verification, then the SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks.

To configure our Node.js application to communicate using SSL with the RDS DB we followed the next steps:

1. We downloaded the root cert from https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem.
2. We saved it in one of our application directories, for example, /src/config/certs/rds-ca-2015-root.pem
3. We configured our ORM, in our case typeorm, to connect over SSL

4. Application testing

Connect with DB Tool over SSL

In case we want to query some data from our database directly, we need to connect to it over SSL too. To do that, we used DBeaver using the next networking configuration