--- title: CA certificate identifier is outdated description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CA certificate identifier is outdated --- # CA certificate identifier is outdated {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-ca-certificate-identifier-is-outdated` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) ### Description{% #description %} AWS RDS instances require the use of a trusted and up-to-date Certificate Authority (CA) certificate for encrypted connections. If the `ca_cert_identifier` attribute is set to an outdated value such as `"rds-ca-2015"`, instead of the recommended `"rds-ca-2019"`, as shown below, the database may be vulnerable to deprecation-related outages or security issues due to expired or compromised certificates. ``` ca_cert_identifier = "rds-ca-2015" ``` Using the correct CA certificate ensures continued support, compliance, and secure encrypted communications with the database. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_db_instance" "negative1" { allocated_storage = 20 storage_type = "gp2" engine = "mysql" engine_version = "5.7" instance_class = "db.t2.micro" name = "mydb" username = "foo" password = "foobarbaz" iam_database_authentication_enabled = true storage_encrypted = true ca_cert_identifier = "rds-ca-2019" } ``` ```terraform module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" identifier = "demodb" engine = "mysql" engine_version = "5.7.19" instance_class = "db.t2.large" allocated_storage = 5 ca_cert_identifier = "rds-ca-2019" name = "demodb" username = "user" password = "YourPwdShouldBeLongAndSecure!" port = "3306" iam_database_authentication_enabled = true vpc_security_group_ids = ["sg-12345678"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically monitoring_interval = "30" monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { Owner = "user" Environment = "dev" } # DB subnet group subnet_ids = ["subnet-12345678", "subnet-87654321"] # DB parameter group family = "mysql5.7" # DB option group major_engine_version = "5.7" # Database Deletion Protection deletion_protection = true parameters = [ { name = "character_set_client" value = "utf8mb4" }, { name = "character_set_server" value = "utf8mb4" } ] options = [ { option_name = "MARIADB_AUDIT_PLUGIN" option_settings = [ { name = "SERVER_AUDIT_EVENTS" value = "CONNECT" }, { name = "SERVER_AUDIT_FILE_ROTATIONS" value = "37" }, ] }, ] } ``` ```terraform resource "aws_db_instance" "negative1" { allocated_storage = 20 storage_type = "gp2" engine = "mysql" engine_version = "5.7" instance_class = "db.t2.micro" name = "mydb" username = "foo" password = "foobarbaz" iam_database_authentication_enabled = true storage_encrypted = true ca_cert_identifier = "rds-ca-rsa2048-g1" } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" engine = "mysql" engine_version = "5.7" instance_class = "db.t2.micro" name = "mydb" username = "foo" password = "foobarbaz" iam_database_authentication_enabled = true storage_encrypted = true ca_cert_identifier = "rds-ca-2015" } ``` ```terraform module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" identifier = "demodb" engine = "mysql" engine_version = "5.7.19" instance_class = "db.t2.large" allocated_storage = 5 ca_cert_identifier = "rds-ca-2015" name = "demodb" username = "user" password = "YourPwdShouldBeLongAndSecure!" port = "3306" iam_database_authentication_enabled = true vpc_security_group_ids = ["sg-12345678"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically monitoring_interval = "30" monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { Owner = "user" Environment = "dev" } # DB subnet group subnet_ids = ["subnet-12345678", "subnet-87654321"] # DB parameter group family = "mysql5.7" # DB option group major_engine_version = "5.7" # Database Deletion Protection deletion_protection = true parameters = [ { name = "character_set_client" value = "utf8mb4" }, { name = "character_set_server" value = "utf8mb4" } ] options = [ { option_name = "MARIADB_AUDIT_PLUGIN" option_settings = [ { name = "SERVER_AUDIT_EVENTS" value = "CONNECT" }, { name = "SERVER_AUDIT_FILE_ROTATIONS" value = "37" }, ] }, ] } ```