Open menu
-->

Enable IAM Database Authentication

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure IAM Database Authentication feature is enabled in order to use AWS Identity and Access Management (IAM) service to manage database access to your Amazon RDS MySQL and PostgreSQL instances. With this feature enabled, you don't have to use a password when you connect to your MySQL/PostgreSQL database instances, instead you use an authentication token. An authentication token is a unique string of characters with a lifetime of 15 minutes that AWS RDS generates on your request. IAM Database Authentication removes the need of storing user credentials within the database configuration, because authentication is managed externally using AWS IAM.

Enabling IAM Database Authentication feature for your MySQL/PostgreSQL database instances provides multiple benefits such as in-transit encryption - the network traffic to and from database instances is encrypted using Secure Sockets Layer (SSL), centralized management - using AWS IAM to centrally manage access to your database resources, instead of managing access individually for each database instance and enhanced security - for web applications running on Amazon EC2, you can use IAM profile credentials specific to each EC2 instance to access the associated database instead of a using passwords. Note: Enabling IAM Database Authentication for MySQL and PostgreSQL database instances does not disable the authentication method using passwords, you also have the option to use standard database authentication.

Audit

To determine if your Amazon RDS MySQL and PostgreSQL database instances are using IAM Database Authentication, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Instances.

04 Choose the RDS instance that you want to examine and click on the resource name (link) available in the DB instance column.

05 Within Details panel section, in the Configurations category, check the IAM DB Authentication Enabled configuration attribute value. If the attribute value is set to No, the IAM Database Authentication feature feature is not enabled for the selected Amazon RDS database instance.

06 Repeat step no. 4 and 5 to verify the IAM Database Authentication feature status for other AWS RDS instances created in the selected region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the names (identifiers) of all RDS MySQL and PostgreSQL database instances available in the selected AWS region:

aws rds describe-db-instances
	--region us-east-1
	--output table
	--query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []'

02 The command output should return a table with the requested RDS names:

---------------------------
|   DescribeDBInstances   |
+-------------------------+
|  cc-mysql-wp-database   |
|  cc-postgresql-database |
+-------------------------+

03 Run describe-db-instances command (OSX/Linux/UNIX) using the name of the MySQL/PostgreSQL database instance that you want to examine as identifier and custom query filters to obtain the IAM Database Authentication feature status for the selected AWS RDS resource:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier cc-mysql-wp-database
	--query 'DBInstances[*].IAMDatabaseAuthenticationEnabled'

04 The command output should return the feature status (true for enabled, false for disabled):

[
    false
]
If the describe-db-instances command output returns false, as shown in the output example above, the IAM Database Authentication feature is not enabled for the selected AWS RDS database instance.

05 Repeat step no. 3 and 4 to check the IAM Database Authentication feature status for other Amazon RDS database instances available within the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable IAM Database Authentication feature for your existing Amazon RDS database instances in order to manage your MySQL/PostgreSQL database user credentials through AWS IAM users and roles, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Instances.

04 Select the RDS database instance that you want to reconfigure (see Audit section part I to identify the right RDS resource).

05 Click the Instance Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: <instance-identifier> page, within the Database options section, select Enable IAM DB authentication to activate IAM Database Authentication feature for the selected MySQL/PostgreSQL database instance. This enables you to manage the database user credentials through AWS IAM users and roles.

07 Click Continue to proceed with the reconfiguration process.

08 In the Summary of modifications section, review the configuration changes that you want to apply to your database instance.

09 Within Scheduling of modifications section, perform one of the following actions based on your application availability requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your application.

10 Click Modify DB Instance to save your configuration changes.

11 Repeat steps no. 4 – 10 to enable IAM Database Authentication for other AWS RDS database instances available in the current region.

12 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run modify-db-instance command (OSX/Linux/UNIX) to enable IAM Database Authentication feature for the selected RDS MySQL/PostgreSQL database instance (see Audit section part II to identify the right database). The following command example make use of --apply-immediately parameter to apply the configuration changes asynchronously, as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your application. If you add --no-apply-immediately parameter to the command request, Amazon RDS service will apply your changes during the next maintenance window:

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier cc-mysql-wp-database
	--enable-iam-database-authentication
	--apply-immediately

02 The command output should return the configuration metadata for the modified AWS RDS database instance:

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "Engine": "mysql",
        "MultiAZ": false,
        "LatestRestorableTime": "2018-10-12T16:35:00Z",
        "PerformanceInsightsEnabled": false,
        "AutoMinorVersionUpgrade": true,
        "PreferredBackupWindow": "10:46-11:16",
        "AllocatedStorage": 150,
        "BackupRetentionPeriod": 14,

        ...

        "DBInstanceStatus": "available",
        "IAMDatabaseAuthenticationEnabled": true
        "EngineVersion": "5.6.41",
        "DeletionProtection": true,
        "AvailabilityZone": "us-east-1b",
        "StorageType": "gp2",
        "CACertificateIdentifier": "rds-ca-2015",
        "DBInstanceClass": "db.m5.large",
        "DBInstanceIdentifier": "cc-mysql-wp-database"
    }
}

03 Repeat step no. 1 and 2 to enable the IAM Database Authentication feature for other AWS RDS database instances available within the current region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Oct 29, 2018