Skip to main content

🛡️ AWS RDS Cluster IAM Database Authentication is not enabled🟢

Logic

Similar Policies

Description

Open File

Description

This policy identifies AWS RDS clusters that are not configured to use IAM Database Authentication. IAM Database Authentication enables passwordless access to database instances by using temporary authentication tokens generated by AWS IAM.

Rationale

IAM Database Authentication provides several security and operational advantages over traditional password-based authentication. It enables centralized access management through AWS IAM, allowing the use of existing IAM users and roles for database access, consistent with other AWS resources. This approach eliminates the need to store, manage, or rotate database passwords. Instead, authentication relies on short-lived IAM-generated tokens, significantly reducing the risk of credential compromise associated with long-lived credentials. Additionally, database connections are encrypted using SSL/TLS by default when IAM authentication is enabled.

Audit

This policy flags an AWS RDS Cluster as INCOMPLIANT if the IAM Database Authentication Enabled field is set to false.

... see more

Remediation

Open File

Remediation

Enable IAM Database Authentication

To enable IAM Database Authentication for an existing AWS RDS Aurora cluster, update the cluster configuration to allow authentication using IAM-generated tokens.

From Command Line

Run the following command to enable IAM database authentication for the specified DB cluster:

aws rds modify-db-cluster \
    --db-cluster-identifier {{cluster-id}} \
    --enable-iam-database-authentication \
    --apply-immediately

By default, configuration changes are applied during the next scheduled maintenance window. Using the --apply-immediately parameter forces the change to take effect as soon as possible, which may cause a brief service interruption depending on the cluster configuration.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.12] IAM authentication should be configured for RDS clusters1no data
💼 Cloudaware Framework → 💼 Secure Access74no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)27no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)3784no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)81179no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)84no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)27no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)84no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)679no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected183no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage122no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management427no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement15559no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control31no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control22no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege102372no data