AWS-RDS-RDS-IAM-Database-Authentication-Enabled

Severity: High

Description: This control ensures that IAM DB Authentication is enabled for RDS DB Instances. When using IAM Database Authentication, instead of passwords, authentication tokens are issued and used for logging in. This provides central management of users and a better security model for authentication. Any traffic to and from the database is encrypted using Secure Sockets Layer (SSL) .

Remediation Steps:

Perform following to update authentication for RDS :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to RDS console.

3. In the navigation pane, Click on Databases.

4. Click on the Database instance to be modified, click Modify.

5. Under the Database options choose Enable IAM DB authentication.

6. Click on the Continue.

7. Under Scheduling of modifications option select Apply Immediately.

8. Click on Modify DB Instance. 

Important:

•  The security tokens are valid for only 15 minute.

• The IAM Database Authentication is available for only MySQL and PostgreSQL with MySQL 5.6 version 5.6.34, MySQL 5.7 version 5.7.16, PostgreSQL 10.6 version 10.6.11 and PostgreSQL 9.5 version 9.5.15 or higher.

Reference :

• https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/

• IAM database authentication for MariaDB, MySQL, and PostgreSQL - Amazon Relational Database Service