Detections
Analytics

Ensure IAM authentication is enabled for Amazon Relational Database Service (Amazon RDS) instances

MEDIUM

Description

Password authentication is not centralized and requires direct user administration in an RDS instance. However, IAM database authentication can be enabled so that users do not need to rely on passwords for authentication. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html#CHAP_CommonTasks.Connect.DatabaseAuthentication

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the AWS RDS console.
  2. Select Databases in the navigation pane.
  3. Select the DB instance to modify.
  4. Select Modify.
  5. Select password and IAM database authentication, in the Database Authentication section, to enable IAM database authentication.
  6. Select Continue.
  7. Select immediately in the Scheduling of modifications section to apply changes immediately.
  8. Select Modify DB instance.

In Terraform -

  1. In the aws_db_instance resource, set the iam_database_authentication_enabled field to true.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled

Policy Details

Rule Reference ID: AC_AWS_0053
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_db_instance
Resource Category: Database
Resource Type: DB Instance

Frameworks