Skip to main content

🛡️ AWS RDS Instance IAM Database Authentication is not enabled🟢

Logic

Similar Policies

Description

Open File

Description

This policy identifies AWS RDS Instances that are not configured to use IAM Database Authentication. IAM database authentication enables password-free access to database instances by using short-lived authentication tokens generated by AWS IAM.

Rationale

IAM database authentication provides enhanced security and centralized access management compared to traditional password-based authentication. Instead of relying on shared or long-lived database passwords, users and applications authenticate using short-lived (15-minute) tokens generated by AWS IAM, significantly reducing the risk of credential compromise. Database access can be managed through IAM users and roles, enabling organizations to apply consistent identity governance and access control practices across AWS services. In addition, authentication activity can be audited using AWS CloudTrail, improving visibility into database access. All connections established using IAM authentication are required to use SSL/TLS encryption.

Audit

This policy flags an AWS RDS Instance as INCOMPLIANT if IAM Database Authentication Enabled is set to false.

... see more

Remediation

Open File

Remediation

Enable IAM Database Authentication

To enable IAM Database Authentication for an existing AWS RDS instance, update the instance configuration to allow authentication using IAM-generated tokens.

From Command Line

Run the following command to enable IAM database authentication for the specified DB instance:

aws rds modify-db-instance \
    --db-instance-identifier {{instance-id}} \
    --enable-iam-database-authentication \
    --apply-immediately

By default, configuration changes are applied during the next scheduled maintenance window. Using the --apply-immediately parameter forces the change to take effect as soon as possible and may result in a brief service interruption.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.10] IAM authentication should be configured for RDS instances1no data
💼 Cloudaware Framework → 💼 Secure Access74no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)27no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)3784no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)81179no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)84no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)27no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)84no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)679no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected183no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage122no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management427no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement15559no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control31no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control22no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege102372no data