Issue is that when certificate has alternate names, only alt-name verification is executed as RFC 6125 indicate, hostname verification should be done against the certificate’s subjectAlternativeName’s dNSName field.
RFC 2818 discouraged the CN verification > 10 years ago, as it was only intended for legacy. The Baseline Requirements require a subjectAltName, and require that the only host-ish names in a CN must be a name also in the SAN.
That is not compatible with connecting directly aurora host.
Correction is to permit legacy CN verification when SAN doesn't match hostname.