Ensure IAM Database Authentication feature is enabled in order to use AWS Identity and Access Management (IAM) service to manage database access to your Amazon RDS MySQL and PostgreSQL instances. With this feature enabled, you don't have to use a password when you connect to your MySQL/PostgreSQL database instances, instead you use an authentication token. An authentication token is a unique string of characters with a lifetime of 15 minutes that AWS RDS generates on your request. IAM Database Authentication removes the need of storing user credentials within the database configuration, because authentication is managed externally using AWS IAM.
This rule can help you with the following compliance standards:
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Enabling IAM Database Authentication feature for your MySQL/PostgreSQL database instances provides multiple benefits such as in-transit encryption - the network traffic to and from database instances is encrypted using Secure Sockets Layer (SSL), centralized management - using AWS IAM to centrally manage access to your database resources, instead of managing access individually for each database instance and enhanced security - for web applications running on Amazon EC2, you can use IAM profile credentials specific to each EC2 instance to access the associated database instead of a using passwords.
Note: Enabling IAM Database Authentication for MySQL and PostgreSQL database instances does not disable the authentication method using passwords, you also have the option to use standard database authentication.
To determine if your Amazon RDS MySQL and PostgreSQL database instances are using IAM Database Authentication, perform the following actions:
Remediation / Resolution
To enable IAM Database Authentication feature for your existing Amazon RDS database instances in order to manage your MySQL/PostgreSQL database user credentials through AWS IAM users and roles, perform the following actions:
- AWS Documentation
- Amazon RDS FAQs
- Amazon RDS for PostgreSQL now supports IAM Authentication
- IAM Database Authentication for MySQL and PostgreSQL
- Modifying an Amazon RDS DB Instance and Using the Apply Immediately Parameter
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
IAM Database Authentication for RDS
Risk level: Medium