Description:

Amazon RDS provides a selection of instance types optimized to fit different relational database use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your database. Each instance type includes several instance sizes, allowing you to scale your database to the requirements of your target workload.

Rationale:

Enabling this feature will let Identity Access Management (IAM) service access and manage Database Instances such as Amazon RDS MySQL and PostgreSQL. Password authentication is replaced with an authentication token that connects you to your MySQL/PostgreSQL database.


Impact:

This rule can help you with the following compliance standards:

  • APRA

  • MAS

  • NIST 800-53 (Rev. 4)

Default Value:

By default, IAM database authentication is disabled on DB instances. You can enable or disable IAM database authentication using the AWS Management Console, AWS CLI, or the API.

Audit:

  1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the left navigation pane, choose Databases.

     
  3. Choose the DB instance that you want to check.

  4. Select the configurations tab and check the IAM DB authentication column

  5. If you notice IAM DB authentication is not Enabled follow the Implementation steps to enable it.

Remediation: 

Pre-Requisite: 

  • Should have an RDS Database Setup already

  • RDS Instances should be running state to apply the modification

Implementation steps:

  1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Databases.

  3. Choose the DB instance that you want to edit and click on Modify

  4. By clicking on Modify Modify DB Instance wizard will pop up under the Database authentication section, choose Password and IAM database authentication to enable IAM database authentication, click on continue

  5. In the Scheduling of modifications section, perform one of the following actions based on your requirements:

  6. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window Or

  7. Select Apply immediately to apply the changes right away

  8. Click Modify Cluster/DB instance.

Via CLI:

aws rds modify-db-instance \
    --db-instance-identifier mydbinstance \
    --apply-immediately \
    --enable-iam-database-authentication


Backout Plan:

  1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/

  2. In the navigation pane, choose Databases.

  3. Choose the DB instance that you want to modify.

  4. Choose Modify.

  5. In the Database authentication section, choose Password  authentication 


  6. Choose Continue.

  7. To apply the changes immediately, choose Immediately in the Scheduling of modifications section.

  8. Choose Modify DB instance.

Note:

Reference: