Confirm clients connecting to the proxy can negotiate TLS. Set RequireTLS to true with modify-db-proxy --require-tls. Verify plaintext connections to the proxy are now refused. Default RequireTLS to true in IaC for all proxies.

Compliance Medium severity

AWS Security Hub · RDS

RDS.43: RDS DB proxies should require TLS

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub RDS.43 check?

RDS.43 checks the RequireTLS flag on an RDS DB proxy. It reports FAILED for any proxy where TLS is not required for all connections — which is the default when a proxy is created without setting the flag.

Why does RDS.43 matter?

RDS Proxy sits between an application's connection pool and the underlying database, terminating and re-establishing connections, so it has its own TLS posture entirely separate from the database engine underneath. With RequireTLS false, the proxy accepts and forwards plaintext connections, and the leg between the proxy and the application travels unencrypted. The database can be encrypted at rest, in a private subnet, and locked down by security groups, and still have an in-transit hole because the proxy in front of it was provisioned with TLS optional.

How do I fix RDS.43?

Confirm clients connecting to the proxy can negotiate TLS.
Set RequireTLS to true with modify-db-proxy --require-tls.
Verify plaintext connections to the proxy are now refused.
Default RequireTLS to true in IaC for all proxies.

Remediation script · bash

# Find the highest-impact plaintext-permitting stores across engines.
aws rds describe-db-instances \
  --query 'DBInstances[].DBInstanceIdentifier' --output text
aws elasticache describe-replication-groups \
  --query 'ReplicationGroups[?TransitEncryptionEnabled==`false`].ReplicationGroupId' \
  --output text

# RDS for PostgreSQL: require TLS via rds.force_ssl (static -> needs a reboot).
PG=$(aws rds describe-db-instances --db-instance-identifier prod-orders-pg \
  --query 'DBInstances[].DBParameterGroups[].DBParameterGroupName' --output text)
aws rds modify-db-parameter-group --db-parameter-group-name "$PG" \
  --parameters 'ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot'
aws rds reboot-db-instance --db-instance-identifier prod-orders-pg

# Redshift: require_ssl on a custom cluster parameter group, then reboot.
aws redshift modify-cluster-parameter-group --parameter-group-name analytics-tls \
  --parameters ParameterName=require_ssl,ParameterValue=true
aws redshift reboot-cluster --cluster-identifier analytics-prod

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on database and cache connections.

Is RDS.43 a false positive?

A database engine that already enforces TLS does not make the proxy compliant — RDS.43 evaluates the proxy's own RequireTLS flag, which is independent of the engine's encryption settings. One reason to front a database with a proxy is to enforce modern TLS there even when the engine speaks an older version, but only if the flag is actually set.

Full lesson Enforce TLS on database and cache connections Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for RDS controls ↗ Check your own account for RDS.43 →

Part of the learning path Encrypt everything

RDS.1 An RDS snapshot is shared publicly
RDS.2 An RDS instance is publicly accessible from the internet
RDS.3 RDS DB instances should be encrypted at rest
RDS.4 RDS snapshots should be encrypted at rest
RDS.5 RDS DB instances should use multiple AZs
RDS.6 RDS lacks enhanced monitoring
RDS.7 RDS clusters should have deletion protection
RDS.8 RDS DB instances should have deletion protection
RDS.9 RDS engine logs are not shipped to CloudWatch
RDS.10 RDS relies on long-lived database passwords
RDS.11 RDS instances should have automatic backups
RDS.12 IAM auth should be configured for RDS clusters