Confirm all clients support TLS. Set require_secure_transport=ON in a custom DB parameter group attached to the instance. Reboot if required, then verify the parameter group is in sync and non-TLS connections are refused. Standardise the parameter group across MariaDB instances.

Compliance Medium severity

AWS Security Hub · RDS

RDS.44: RDS MariaDB should be encrypted in transit

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub RDS.44 check?

RDS.44 checks whether connections to an RDS for MariaDB instance are forced to be encrypted. It reports FAILED when the attached DB parameter group does not set require_secure_transport to ON, or when the parameter group is out of sync with the instance. It only evaluates MariaDB 10.5 and later.

Why does RDS.44 matter?

RDS for MariaDB can serve every connection over TLS, but by default it also accepts plaintext connections when a client doesn't ask for encryption — so credentials, query text, and result rows can travel the network in the clear, readable by anyone observing the traffic path. With require_secure_transport set to ON, MariaDB rejects any client that tries to connect without TLS and encryption stops being optional.

How do I fix RDS.44?

Confirm all clients support TLS.
Set require_secure_transport=ON in a custom DB parameter group attached to the instance.
Reboot if required, then verify the parameter group is in sync and non-TLS connections are refused.
Standardise the parameter group across MariaDB instances.

Remediation script · bash

# Find the highest-impact plaintext-permitting stores across engines.
aws rds describe-db-instances \
  --query 'DBInstances[].DBInstanceIdentifier' --output text
aws elasticache describe-replication-groups \
  --query 'ReplicationGroups[?TransitEncryptionEnabled==`false`].ReplicationGroupId' \
  --output text

# RDS for PostgreSQL: require TLS via rds.force_ssl (static -> needs a reboot).
PG=$(aws rds describe-db-instances --db-instance-identifier prod-orders-pg \
  --query 'DBInstances[].DBParameterGroups[].DBParameterGroupName' --output text)
aws rds modify-db-parameter-group --db-parameter-group-name "$PG" \
  --parameters 'ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot'
aws rds reboot-db-instance --db-instance-identifier prod-orders-pg

# Redshift: require_ssl on a custom cluster parameter group, then reboot.
aws redshift modify-cluster-parameter-group --parameter-group-name analytics-tls \
  --parameters ParameterName=require_ssl,ParameterValue=true
aws redshift reboot-cluster --cluster-identifier analytics-prod

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on database and cache connections.

Is RDS.44 a false positive?

require_secure_transport was only introduced in MariaDB 10.5, so an instance on 10.4 or earlier cannot satisfy RDS.44 as written — an engine upgrade is part of the remediation path, not just a parameter change.

Full lesson Enforce TLS on database and cache connections Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for RDS controls ↗ Check your own account for RDS.44 →

Part of the learning path Encrypt everything

RDS.1 An RDS snapshot is shared publicly
RDS.2 An RDS instance is publicly accessible from the internet
RDS.3 RDS DB instances should be encrypted at rest
RDS.4 RDS snapshots should be encrypted at rest
RDS.5 RDS DB instances should use multiple AZs
RDS.6 RDS lacks enhanced monitoring
RDS.7 RDS clusters should have deletion protection
RDS.8 RDS DB instances should have deletion protection
RDS.9 RDS engine logs are not shipped to CloudWatch
RDS.10 RDS relies on long-lived database passwords
RDS.11 RDS instances should have automatic backups
RDS.12 IAM auth should be configured for RDS clusters