Medium

Ensure RDS Instances have IAM Database Authentication enabled

Security & Compliance
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
HITRUST
MAS
NIST 800-53
NIST4
GDPR
Description

Enabling the IAM Database Authentication feature for your MySQL/PostgreSQL database instances can provide numerous advantages, such as in-transit encryption that secures the network traffic to and from the database instances using SSL. Additionally, this feature allows for centralized management of database access using AWS IAM, instead of managing access individually for each database instance, which enhances security. For web applications running on Amazon EC2, you can also use IAM profile credentials specific to each EC2 instance to access the associated database, instead of using passwords. It's important to note that enabling IAM Database Authentication for MySQL and PostgreSQL database instances does not disable the authentication method using passwords. You still have the option to use standard database authentication. To ensure that IAM Database Authentication is enabled, use the AWS Identity and Access Management (IAM) service to manage database access to your Amazon RDS MySQL and PostgreSQL instances. With this feature enabled, you can connect to your MySQL/PostgreSQL database instances using an authentication token instead of a password. An authentication token is a unique string of characters that AWS RDS generates upon your request, with a lifetime of 15 minutes. This feature eliminates the need to store user credentials within the database configuration, as authentication is managed externally using AWS IAM.

Remediation

To ensure that IAM Database Authentication is enabled for your RDS instances, you can follow these remediation steps:

  1. Open the Amazon RDS console.
  2. Select the RDS instance that you want to update.
  3. Click on "Modify" button.
  4. Scroll down to the "Database Options" section.
  5. Check if "IAM Database Authentication" is set to "Yes". If not, select "Yes" from the drop-down menu.
  6. Click "Continue" to review the changes.
  7. Click "Modify DB Instance" to apply the changes.

You can also enable IAM Database Authentication when you create a new RDS instance by selecting "Yes" for "IAM Database Authentication" under the "Additional Configuration" section.

After enabling IAM Database Authentication, ensure that you update your database access controls to use IAM roles instead of user credentials. This can be done by creating an IAM policy that allows the required actions for your RDS instances and attaching it to an IAM role. Then, assign this IAM role to your EC2 instances or application services that need to access the RDS instances.

Enforced Resources
RDS
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.

Step into the Future of SecOps

Self Served Test drive >
Schedule a live demo >