Skip to main content

🛡️ AWS RDS Cluster IAM Database Authentication is not enabled🟢

Logic

Similar Policies

Description

Open File

Description

This policy identifies AWS RDS Clusters that are not configured to use IAM Database Authentication. IAM Database Authentication enables passwordless access to database instances by using temporary authentication tokens generated by AWS IAM.

Rationale

IAM Database Authentication provides several security and operational advantages over traditional password-based authentication. It enables centralized access management through AWS IAM, allowing the use of existing IAM users and roles for database access, consistent with other AWS resources. This approach eliminates the need to store, manage, or rotate database passwords. Instead, authentication relies on short-lived IAM-generated tokens, significantly reducing the risk of credential compromise associated with long-lived credentials. Additionally, database connections are encrypted using SSL/TLS by default when IAM authentication is enabled.

Audit

This policy flags an AWS RDS Cluster as INCOMPLIANT if the IAM Database Authentication Enabled field is set to false.

... see more

Remediation

Open File

Remediation

Enable IAM Database Authentication

Update the cluster configuration to allow authentication using IAM-generated tokens.

From Command Line
Amazon RDS Aurora

Run the following command to enable IAM database authentication for the specified DB cluster:

aws rds modify-db-cluster \
    --db-cluster-identifier {{cluster-id}} \
    --enable-iam-database-authentication \
    --apply-immediately
Amazon Neptune
aws neptune modify-db-cluster \
    --db-cluster-identifier {{cluster-id}} \
    --enable-iam-database-authentication \
    --apply-immediately

By default, configuration changes are applied during the next scheduled maintenance window. Using the --apply-immediately parameter forces the change to take effect as soon as possible, which may cause a brief service interruption depending on the cluster configuration.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.7] Neptune DB clusters should have IAM database authentication enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.12] IAM authentication should be configured for RDS clusters1no data
💼 Cloudaware Framework → 💼 Secure Access57no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)32no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)3790no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)81285no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)90no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)32no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)90no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)685no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties144no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage129no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management432no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement15666no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control36no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control27no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege102378no data