Skip to main content

Description

This policy identifies AWS RDS Instances that are not configured to use IAM Database Authentication. IAM database authentication enables password-free access to database instances by using short-lived authentication tokens generated by AWS IAM.

Rationale

IAM database authentication provides enhanced security and centralized access management compared to traditional password-based authentication. Instead of relying on shared or long-lived database passwords, users and applications authenticate using short-lived (15-minute) tokens generated by AWS IAM, significantly reducing the risk of credential compromise. Database access can be managed through IAM users and roles, enabling organizations to apply consistent identity governance and access control practices across AWS services. In addition, authentication activity can be audited using AWS CloudTrail, improving visibility into database access. All connections established using IAM authentication are required to use SSL/TLS encryption.

Audit

This policy flags an AWS RDS Instance as INCOMPLIANT if IAM Database Authentication Enabled is set to false.

RDS Instances are marked as INAPPLICABLE if they meet any of the following conditions:

  • Are part of a DB Cluster
  • Are not in the available state
  • Use an unsupported database engine

Supported database engine types include: postgres, mysql, mariadb, aurora, aurora-postgresql, and aurora-mysql.