AWS RDS does not use IAM Database Authentication

Description:

AWS RDS offers IAM Database Authentication, which allows you to use AWS Identity and Access Management (IAM) roles and policies for database authentication, instead of the traditional username and password method. This approach increases security by offering short-lived authentication tokens instead of static credentials, and by leveraging AWS's existing IAM framework, you can centrally manage access to your RDS instances. If IAM Database Authentication is not enabled, you might be missing out on an added layer of security and the convenience of IAM centralized access management.

Remediation:

1. Enable IAM Database Authentication for New RDS Instances:

AWS Management Console:
  • Navigate to the RDS dashboard.
  • Click on "Create database".
  • In the creation wizard, under the "Database Authentication" section, select "Password and IAM database authentication".
  • Continue with other database settings and click "Create".
AWS CLI:
aws rds create-db-instance --db-instance-identifier YourDBInstanceName --engine mysql or aurora --master-username yourmasteruser --master-user-password yourpassword --enable-iam-database-authentication

2. Enable IAM Database Authentication for Existing RDS Instances:

AWS Management Console:
  • Navigate to the RDS dashboard.
  • Select your database instance.
  • Click on "Modify".
  • Under the "Database Options" section, check the box for "Enable IAM DB Authentication".
  • Scroll down and click on "Continue" and then "Modify DB Instance".
AWS CLI:
aws rds modify-db-instance --db-instance-identifier YourDBInstanceName --apply-immediately --enable-iam-database-authentication

3. Update IAM Policies:

  • Create or modify an IAM role or user policy that allows the "rds-db:connect" action.
  • Attach the policy to the necessary IAM roles or users.
AWS CLI:
# Create a policy with RDS IAM authentication permissions
echo '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds-db:connect"
      ],
      "Resource": "arn:aws:rds-db:region:account-id:dbuser:db-cluster-id/username"
    }
  ]
}' > rds-iam-auth-policy.json

aws iam create-policy --policy-name RDSIAMAuthPolicy --policy-document file://rds-iam-auth-policy.json

# Attach the policy to an IAM role or user
aws iam attach-role-policy --role-name YourIAMRoleName --policy-arn arn:aws:iam::account-id:policy/RDSIAMAuthPolicy

4. Monitor and Audit:

AWS Management Console:
  • Navigate to AWS Config.
  • Create a new rule to check for RDS instances not using IAM Database Authentication.
  • Use AWS CloudTrail to monitor and log usage of RDS authentication events.
AWS CLI:

For monitoring, AWS Config SDK or Boto3 in Python would be preferable instead of direct AWS CLI commands.

5. Document and Train:

Ensure internal guidelines mandate the use of IAM Database Authentication for RDS. Train the technical teams on the importance and implementation of this authentication method.

By following these steps, you can ensure that AWS RDS databases utilize IAM Database Authentication, providing more secure and manageable access control.

Updated 5 months ago