RDS.10 IAM authentication should be configured for RDS instances
It’s important to check whether an RDS DB instance has IAM database authentication enabled. IAM database authentication allows authentication to database instances with an authentication token instead of a password.
You can authenticate to your DB cluster using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with Aurora MySQL, and Aurora PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB cluster. Instead, you use an authentication token.
An authentication token is a unique string of characters that Amazon Aurora generates on request. Authentication tokens are generated using AWS Signature Version 4. Each token has a lifetime of 15 minutes. You don't need to store user credentials in the database, because authentication is managed externally using IAM. You can also still use standard database authentication. The token is only used for authentication and doesn't affect the session after it is established.
IAM database authentication provides the following benefits:
• Network traffic to and from the database is encrypted using Secure Socket Layer (SSL) or Transport Layer Security (TLS). For more information about using SSL/TLS with Amazon Aurora, see Using SSL/TLS to encrypt a connection to a DB cluster.
• You can use IAM to centrally manage access to your database resources, instead of managing access individually on each DB cluster.
• For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security.
In general, consider using IAM database authentication when your applications create fewer than 200 connections per second, and you don't want to manage usernames and passwords directly in your application code.
How to Apply This Use Case Step by Step:
• To remediate this issue, update your DB instance to enable IAM authentication.
• To enable IAM authentication for an existing DB instance, open the Amazon RDS console at https://console.aws.amazon.com/rds/.
• Choose “Databases”.
• Select the DB instance to modify.
• Choose “Modify”.
• Under “Database options”, choose “Enable IAM DB authentication”.
• Choose “Continue”.
• Under “Scheduling of modifications”, choose when to apply modifications. The options are “Apply during the next scheduled maintenance window” or “apply immediately”.
• For clusters, choose “Modify DB Instance”.
What do you think about this use case? Tell us what you think in the comments below.