Description

This policy identifies AWS RDS clusters that are not configured to use IAM Database Authentication. IAM Database Authentication enables passwordless access to database instances by using temporary authentication tokens generated by AWS IAM.

Rationale

IAM Database Authentication provides several security and operational advantages over traditional password-based authentication. It enables centralized access management through AWS IAM, allowing the use of existing IAM users and roles for database access, consistent with other AWS resources. This approach eliminates the need to store, manage, or rotate database passwords. Instead, authentication relies on short-lived IAM-generated tokens, significantly reducing the risk of credential compromise associated with long-lived credentials. Additionally, database connections are encrypted using SSL/TLS by default when IAM authentication is enabled.

Audit

This policy flags an AWS RDS Cluster as INCOMPLIANT if the IAM Database Authentication Enabled field is set to false.

Clusters that are not in the available State or not aurora-postgresql or aurora-mysql Engine types are marked as INAPPLICABLE.