Profile Applicability:

  • Level 2

Description:

Amazon RDS allows for IAM (Identity and Access Management) authentication, which provides a more secure way of connecting to RDS databases. When IAM authentication is enabled, users can authenticate to the RDS instance using AWS IAM credentials (access keys and secret keys) instead of traditional database passwords. This adds an extra layer of security, reduces the need for hard-coded database passwords, and allows better control over who has access to the database by managing permissions centrally via IAM.

This SOP ensures that RDS clusters are configured with IAM authentication enabled, ensuring secure access control.

Rationale:

  • Security: IAM authentication reduces the need for static database passwords, which can be difficult to manage securely. Using IAM ensures that database access is tightly controlled and governed by IAM policies.

  • Centralized Access Management: IAM allows for centralized management of database access, making it easier to implement least-privilege access control.

  • Audit and Monitoring: IAM allows you to monitor and audit who accesses the database, which is important for compliance and security auditing.

  • Compliance: Many regulatory frameworks (e.g., PCI-DSS, HIPAA, SOC 2) require strong access control mechanisms like IAM authentication.

Impact:

Pros:

  • Enhanced Security: Eliminates the need for database credentials, reducing the risk of unauthorized access through password compromise.

  • Centralized Access Control: Leverages IAM to manage permissions across AWS services, streamlining user management and access control.

  • Easier Auditing: IAM authentication allows for better tracking and logging of database access via CloudTrail and IAM reports.

Cons:

  • Compatibility: Some legacy applications may not support IAM authentication, requiring updates or configuration changes.

  • Management Overhead: IAM authentication requires proper configuration of IAM roles, policies, and trust relationships to ensure correct access.

Default Value:

By default, IAM authentication is disabled for RDS clusters. It must be explicitly enabled during cluster creation or by modifying the instance later.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:ModifyDBCluster

    • rds:CreateDBCluster

    • iam:ListRoles

  • AWS CLI installed and configured.

  • Ensure IAM roles and policies are configured to grant proper permissions to connect to the RDS instance using IAM.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the RDS cluster for which you want to check IAM authentication.

  4. In the Configuration tab, look for the IAM database authentication setting.

    • If IAM authentication is enabled, it will be set to Enabled.

    • If IAM authentication is not enabled, it will show Disabled.

  5. If IAM authentication is disabled, click Modify, and under the Database Options, enable IAM Database Authentication.

  6. Save the changes and verify that IAM authentication is now enabled for the RDS cluster.

Using AWS CLI:

  1. To check if IAM authentication is enabled for an RDS cluster, run the following command:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,IAMDatabaseAuthenticationEnabled:IAMDatabaseAuthenticationEnabled}'

  2. Review the output:

  • If IAMDatabaseAuthenticationEnabled is true, IAM authentication is enabled.

  • If IAMDatabaseAuthenticationEnabled is false, IAM authentication is not enabled.

  1. To enable IAM authentication for an RDS cluster, run:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --enable-iam-database-authentication --apply-immediately

  2. Verify that IAM authentication is enabled:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,IAMDatabaseAuthenticationEnabled:IAMDatabaseAuthenticationEnabled}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the RDS cluster for which you want to enable IAM authentication.

  3. Click Modify.

  4. In the Database Options section, enable IAM Database Authentication.

  5. Click Continue, then Apply Changes to enable IAM authentication.

Using AWS CLI:

  1. To enable IAM authentication for an RDS cluster, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --enable-iam-database-authentication --apply-immediately

  2. To verify the IAM authentication status, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,IAMDatabaseAuthenticationEnabled:IAMDatabaseAuthenticationEnabled}'

Backout Plan:

Using AWS Console:

  1. If enabling IAM authentication causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB cluster, and click Modify.

  3. Uncheck the IAM DB authentication option.

  4. Save the changes and verify that IAM authentication has been disabled.

Using AWS CLI:

  1. To disable IAM authentication, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --no-iam-database-authentication-enabled --apply-immediately

  2. Verify that IAM authentication has been disabled:

    aws rds describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.