Ensure that the IAM Database Authentication feature is enabled for your RDS database instances in order to use the Identity and Access Management (IAM) service to manage database access to your MySQL and PostgreSQL database instances. With this feature enabled, you don't have to use a password when you connect to your MySQL/PostgreSQL database, instead you can use an authentication token. An authentication token is a unique string of characters with a lifetime of 15 minutes that Amazon RDS generates on your request. IAM Database Authentication removes the need of storing user credentials within the database configuration, because authentication is managed externally using Amazon IAM.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Enabling the IAM Database Authentication feature for your MySQL/PostgreSQL database instances provides multiple benefits such as in-transit encryption – the network traffic to and from database instances is encrypted using Secure Sockets Layer (SSL), centralized management – using Amazon IAM to centrally manage access to your database resources, instead of managing access individually for each database instance, and enhanced security – for web applications running on Amazon EC2 you can use the IAM profile credentials configured for each EC2 instance to access the associated database instead of using passwords.
Note: Enabling IAM Database Authentication for MySQL and PostgreSQL database instances does not disable the authentication method using passwords, you also have the option to use standard database authentication.
Audit
To determine if your Amazon RDS MySQL and PostgreSQL database instances are using IAM Database Authentication, perform the following actions:
Remediation / Resolution
To enable the IAM Database Authentication feature for your Amazon RDS database instances in order to manage your MySQL/PostgreSQL database user credentials using Amazon IAM users and roles, perform the following actions:
References
- AWS Documentation
- Amazon RDS FAQs
- IAM database authentication for MariaDB, MySQL, and PostgreSQL
- Modifying an Amazon RDS DB instance
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-instances
- modify-db-instance
- CloudFormation Documentation
- Amazon Relational Database Service resource type reference
- Terraform Documentation
- AWS Provider