Description:
Amazon RDS provides a selection of instance types optimized to fit different relational database use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your database. Each instance type includes several instance sizes, allowing you to scale your database to the requirements of your target workload.
Rationale:
Enabling this feature will let Identity Access Management (IAM) service access and manage Database Instances such as Amazon RDS MySQL and PostgreSQL. Password authentication is replaced with an authentication token that connects you to your MySQL/PostgreSQL database.
Impact:
This rule can help you with the following compliance standards:
APRA
MAS
NIST 800-53 (Rev. 4)
Default Value:
By default, IAM database authentication is disabled on DB instances. You can enable or disable IAM database authentication using the AWS Management Console, AWS CLI, or the API.
Pre-Requisite:
Should have an RDS Database Setup already
RDS Instances should be running state to apply the modification
Remediation:
Test Plan:
Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
In the left navigation pane, choose Databases.
Choose the DB instance that you want to check.
Select the configurations tab and check the IAM DB authentication column
If you notice IAM DB authentication is not Enabled follow the Implementation steps to enable it.
Using AWS CLI:
aws rds describe-db-clusters -db-cluster-identifier <database name>
Implementation steps:
Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
In the navigation pane, choose Databases.
Choose the DB instance that you want to edit and click on Modify
By clicking on Modify Modify DB Instance wizard will pop up under the Database authentication section, choose Password and IAM database authentication to enable IAM database authentication, click on continue
In the Scheduling of modifications section, perform one of the following actions based on your requirements:
Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window Or
Select Apply immediately to apply the changes right away
Click Modify Cluster/DB instance.
Using AWS CLI:
aws rds modify-db-instance \
--db-instance-identifier mydbinstance \
--apply-immediately \
--enable-iam-database-authentication
Backout Plan:
Open the Amazon RDS console at https://console.aws.amazon.com/rds/
In the navigation pane, choose Databases.
Choose the DB instance that you want to modify.
Choose Modify.
In the Database authentication section, choose Password authentication
Choose Continue.
To apply the changes immediately, choose Immediately in the Scheduling of modifications section.
Choose Modify DB instance.
Using AWS CLI:
aws rds modify-db-instance --db-instance-identifier mydbinstance --no-enable-iam-database-authentication --apply-immediately
Note:
Make sure that the DB instance is compatible with IAM authentication. Check the compatibility requirements in Availability for IAM database authentication.