Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Database Authentication

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RDS-030

Ensure that the IAM Database Authentication feature is enabled for your RDS database instances in order to use the Identity and Access Management (IAM) service to manage database access to your MySQL and PostgreSQL database instances. With this feature enabled, you don't have to use a password when you connect to your MySQL/PostgreSQL database, instead you can use an authentication token. An authentication token is a unique string of characters with a lifetime of 15 minutes that Amazon RDS generates on your request. IAM Database Authentication removes the need of storing user credentials within the database configuration, because authentication is managed externally using Amazon IAM.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Enabling the IAM Database Authentication feature for your MySQL/PostgreSQL database instances provides multiple benefits such as in-transit encryption – the network traffic to and from database instances is encrypted using Secure Sockets Layer (SSL), centralized management – using Amazon IAM to centrally manage access to your database resources, instead of managing access individually for each database instance, and enhanced security – for web applications running on Amazon EC2 you can use the IAM profile credentials configured for each EC2 instance to access the associated database instead of using passwords.

Note: Enabling IAM Database Authentication for MySQL and PostgreSQL database instances does not disable the authentication method using passwords, you also have the option to use standard database authentication.


Audit

To determine if your Amazon RDS MySQL and PostgreSQL database instances are using IAM Database Authentication, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Click on the name (link) of the RDS database instance that you want to examine. To identify RDS database instances, check the database role available in the Role column (i.e. Instance).

05 Select the Configuration tab and check the IAM DB authentication attribute value. If theIAM DB authentication value is set to Not enabled, the IAM Database Authentication feature is not enabled for the selected Amazon RDS database instance.

06 Repeat steps no. 4 and 5 for each Amazon RDS database instance available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) with custom query filters to list the names of the Amazon RDS MySQL and PostgreSQL database instances available in the selected AWS region:

aws rds describe-db-instances
  --region us-east-1
  --output table
  --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []'

02 The command output should return a table with the requested database instance names:

--------------------------------
|     DescribeDBInstances      |
+------------------------------+
|  cc-project5-mysql-database  |
|  cc-prod-postgres-database   |
+------------------------------+

03 Run describe-db-instances command (OSX/Linux/UNIX) using the name of the MySQL/PostgreSQL database instance that you want to examine as the identifier parameter and custom query filters to describe the IAM Database Authentication feature status for the selected instance:

aws rds describe-db-instances
  --region us-east-1
  --db-instance-identifier cc-project5-mysql-database
  --query 'DBInstances[*].IAMDatabaseAuthenticationEnabled'

04 The command output should return the feature status (true for enabled, false for disabled):

[
    false
]

If the describe-db-instances command output returns false, as shown in the output example above, the IAM Database Authentication feature is not enabled for the selected Amazon RDS database instance.

05 Repeat steps no. 3 and 4 for each Amazon RDS database instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the IAM Database Authentication feature for your Amazon RDS database instances in order to manage your MySQL/PostgreSQL database user credentials using Amazon IAM users and roles, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable IAM Database Authentication For Database Instances",
	"Parameters": {
		"DBInstanceName": {
			"Default": "mysql-database-instance",
			"Description": "RDS database instance name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "63",
			"AllowedPattern": "^[0-9a-zA-Z-/]*$",
			"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
		},
		"DBInstanceClass": {
				"Default": "db.t2.micro",
				"Description": "DB instance class/type",
				"Type": "String",
				"ConstraintDescription": "Must provide a valid DB instance type."
		},
		"DBAllocatedStorage": {
			"Default": "20",
			"Description": "The size of the database (GiB)",
			"Type": "Number",
			"MinValue": "20",
			"MaxValue": "65536",
			"ConstraintDescription": "Must be between 20 and 65536 GiB."
		},
		"DBName": {
			"Default": "mysqldb",
			"Description": "Database name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "64",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBUsername": {
			"Description": "Username for database access",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "16",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBPassword": {
			"NoEcho": "true",
			"Description": "Password for database access",
			"Type": "String",
			"MinLength": "8",
			"MaxLength": "41",
			"AllowedPattern": "[a-zA-Z0-9]*",
			"ConstraintDescription": "Must contain only alphanumeric characters."
		}
	},
	"Resources": {
		"RDSInstance": {
			"Type": "AWS::RDS::DBInstance",
			"Properties": {
				"DBInstanceIdentifier": {
					"Ref": "DBInstanceName"
				},
				"DBName": {
					"Ref": "DBName"
				},
				"MasterUsername": {
					"Ref": "DBUsername"
				},
				"MasterUserPassword": {
					"Ref": "DBPassword"
				},
				"DBInstanceClass": {
					"Ref": "DBInstanceClass"
				},
				"AllocatedStorage": {
					"Ref": "DBAllocatedStorage"
				},
				"Engine": "MySQL",
				"EngineVersion": "5.7.36",
				"EnableIAMDatabaseAuthentication": true
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable IAM Database Authentication For Database Instances
	Parameters:
		DBInstanceName:
		Default: mysql-database-instance
		Description: RDS database instance name
		Type: String
		MinLength: '1'
		MaxLength: '63'
		AllowedPattern: ^[0-9a-zA-Z-/]*$
		ConstraintDescription: Must begin with a letter and must not end with a hyphen
			or contain two consecutive hyphens.
		DBInstanceClass:
		Default: db.t2.micro
		Description: DB instance class/type
		Type: String
		ConstraintDescription: Must provide a valid DB instance type.
		DBAllocatedStorage:
		Default: '20'
		Description: The size of the database (GiB)
		Type: Number
		MinValue: '20'
		MaxValue: '65536'
		ConstraintDescription: Must be between 20 and 65536 GiB.
		DBName:
		Default: mysqldb
		Description: Database name
		Type: String
		MinLength: '1'
		MaxLength: '64'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
			characters.
		DBUsername:
		Description: Username for database access
		Type: String
		MinLength: '1'
		MaxLength: '16'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
			characters.
		DBPassword:
		NoEcho: 'true'
		Description: Password for database access
		Type: String
		MinLength: '8'
		MaxLength: '41'
		AllowedPattern: '[a-zA-Z0-9]*'
		ConstraintDescription: Must contain only alphanumeric characters.
	Resources:
		RDSInstance:
		Type: AWS::RDS::DBInstance
		Properties:
			DBInstanceIdentifier: !Ref 'DBInstanceName'
			DBName: !Ref 'DBName'
			MasterUsername: !Ref 'DBUsername'
			MasterUserPassword: !Ref 'DBPassword'
			DBInstanceClass: !Ref 'DBInstanceClass'
			AllocatedStorage: !Ref 'DBAllocatedStorage'
			Engine: MySQL
			EngineVersion: 5.7.36
			EnableIAMDatabaseAuthentication: true

Using Terraform

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_db_instance" "rds-database-instance" {
	allocated_storage     = 20
	engine                = "mysql"
	engine_version        = "5.7"
	instance_class        = "db.t2.micro"
	name                  = "mysqldb"
	username              = "mysqluser"
	password              = "mysqlpasswd"
	parameter_group_name  = "default.mysql5.7"

	# Enable IAM Database Authentication For Database Instances
	iam_database_authentication_enabled = true

	apply_immediately = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Select the Amazon RDS database instance that you want to reconfigure and choose Modify.

05 On the Modify DB instance: <instance-name> configuration page, perform the following operations:

  1. In the Database authentication section, under Database authentication options, select Password and IAM database authentication to enable the IAM Database Authentication feature for the selected MySQL/PostgreSQL database instance. This enables you to manage your database user credentials through Amazon IAM users and roles.
  2. Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.
  3. In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:
    • Select *Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
    • Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your database application.
  4. Choose Modify DB instance to apply the configuration changes.

06 Repeat steps no. 4 and 5 for each Amazon RDS database instance available in the selected AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-db-instance command (OSX/Linux/UNIX) to enable the IAM Database Authentication feature for the selected Amazon database instance (MySQL or PostgreSQL database). The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your RDS database application. If you skip adding the --apply-immediately parameter to the command request, Amazon RDS will apply your changes during the next maintenance window:

aws rds modify-db-instance
  --region us-east-1
  --db-instance-identifier cc-project5-mysql-database
  --enable-iam-database-authentication
  --apply-immediately

02 The command output should return the configuration metadata for the modified database instance:

{
	"DBInstance": {
		"PubliclyAccessible": true,
		"MasterUsername": "ccadmin",
		"MonitoringInterval": 0,
		"LicenseModel": "general-public-license",
		"VpcSecurityGroups": [
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-0abcd1234abcd1234"
			},
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-abcd1234"
			}
		],
		"InstanceCreateTime": "2021-05-12T08:00:00.677Z",
		"CopyTagsToSnapshot": true,
		"OptionGroupMemberships": [
			{
				"Status": "in-sync",
				"OptionGroupName": "default:mysql-5-7"
			}
		],
		"Engine": "mysql",
		"MultiAZ": false,
		"DBSecurityGroups": [],
		"DBParameterGroups": [
			{
				"DBParameterGroupName": "default.mysql5.7",
				"ParameterApplyStatus": "in-sync"
			}
		],
		"PerformanceInsightsEnabled": true,
		"AutoMinorVersionUpgrade": true,
		"PreferredBackupWindow": "06:02-06:32",
		"DBSubnetGroup": {
			"Subnets": [
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcd1234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1d"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-1234abcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1e"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcdabcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1b"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-12341234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1a"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcd1234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1f"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-1234abcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1c"
					}
				}
			],
			"DBSubnetGroupName": "default-vpc-abcdabcd",
			"VpcId": "vpc-abcdabcd",
			"DBSubnetGroupDescription": "Created from the AWS Management Console",
			"SubnetGroupStatus": "Complete"
		},
		"ReadReplicaDBInstanceIdentifiers": [],
		"AllocatedStorage": 70,
		"DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-database",
		"BackupRetentionPeriod": 7,
		"PreferredMaintenanceWindow": "thu:03:27-thu:03:57",
		"Endpoint": {
			"HostedZoneId": "ABCDABCDABCD",
			"Port": 3306,
			"Address": "cc-project5-mysql-database.abcdabcdabcd.us-east-1.rds.amazonaws.com"
		},
		"DBInstanceStatus": "available",
		"IAMDatabaseAuthenticationEnabled": true,
		"EngineVersion": "5.7.30",
		"DeletionProtection": true,
		"AvailabilityZone": "us-east-1a",
		"DomainMemberships": [],
		"StorageType": "gp2",
		"DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB",
		"CACertificateIdentifier": "rds-ca-2019",
		"StorageEncrypted": true,
		"AssociatedRoles": [],
		"DBInstanceClass": "db.t3.medium",
		"DbInstancePort": 0,
		"DBInstanceIdentifier": "cc-project5-mysql-database"
	}
}

03 Repeat steps no. 1 and 2 for each Amazon RDS database instance available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Oct 29, 2018