Runbook: RDSCACertificateCloseToExpiration Alert

Alert Details

• Alert Name: RDSCACertificateCloseToExpiration
• Expression: (rds_certificate_expiry_timestamp_seconds{dbidentifier!~".*copy.*", %(clusterSelector)s} - time() ) / 3600 / 24 < 15

Description

Alert is triggered when an RDS instance is detected using a CA certificate which is going to expire in less than 15 days.

Possible Causes

• cert expired

Troubleshooting Steps

1. Identify the instance(s) concerned

• from alert message
• using the following AWS CLI command aws rds describe-db-instances | jq ' [ .DBInstances[] | { db_instance_identifier: .DBInstanceIdentifier, ca_certificate_identifier: .CACertificateIdentifier, ca_certificate_valid_until: .CertificateDetails.ValidTill } | (now + 1296000) as $date | select ( (.ca_certificate_valid_until | split("+")[0] + "Z" | fromdate) < $date ) ]'

2. Renew your certificate for the instances retrieved above by running

aws rds modify-db-instance \ --db-instance-identifier <your_db_instance> \ --ca-certificate-identifier <your_new_certificate>

• Use the –apply-immediately flag if you wish to change the certificate immediately, otherwise it will apply during your next scheduled maintenance window.

Tips

We recommend using the rds-ca-rsa2048-g1 certificate authority which:

• Has the same properties as rds-ca-2019 (2048 private key, SHA256 signing alg.) so no risk of incompatibility
• Is valid until 2061
• Change can be done without restarting the instances