Profile Applicability:

  • Level 2

Description:

Amazon RDS provides the option to authenticate database connections using AWS Identity and Access Management (IAM) instead of traditional username/password credentials. IAM authentication improves security by allowing you to manage access using IAM roles and policies, which eliminates the need for hardcoded credentials and helps centralize access control.

This SOP ensures that IAM authentication is enabled for Amazon RDS instances to enhance security and avoid using static credentials.

Rationale:

  • Security: Using IAM authentication eliminates the need for storing database credentials in application code or configuration files, reducing the risk of credentials leakage.

  • Centralized Access Control: IAM roles and policies allow for centralized management of access control, making it easier to grant or revoke permissions at scale.

  • Compliance: Many security frameworks, including SOC 2, PCI-DSS, and HIPAA, require using IAM authentication to meet credential management and access control standards.

  • Reduced Risk: Enabling IAM authentication reduces the risks of credential theft or misuse by making access controlled via IAM policies and roles.

Impact:

Pros:

  • Improved Security: Reduces the risk of static password exposure and relies on IAM for access control.

  • Centralized Management: Allows easier management and auditing of database access through IAM.

  • Compliance: Meets regulatory requirements for managing credentials securely.

Cons:

  • Initial Setup Complexity: Enabling IAM authentication requires configuring IAM roles, policies, and ensuring correct database settings.

  • Access Management: Requires ongoing monitoring and management of IAM policies and roles.

Default Value:

By default, IAM authentication is disabled for Amazon RDS instances. You must explicitly enable IAM authentication when creating or modifying an RDS instance to use IAM-based access control.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

    • iam:ListRoles

    • iam:AttachRolePolicy

    • iam:PassRole

  • AWS CLI installed and configured.

  • Ensure that the RDS instance supports IAM authentication (MySQL, PostgreSQL, etc.).

  • IAM roles should be set up for database access.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the RDS instance for which you want to verify IAM authentication.

  4. Under the Connectivity & Security tab, check the IAM DB Authentication setting.

    • If IAM authentication is enabled, this option should show Enabled.

    • If IAM authentication is not enabled, you will need to modify the instance to enable it.

Using AWS CLI:

  1. To check if IAM authentication is enabled for an RDS instance, run:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,IAMAuthentication:IAMDatabaseAuthentication}'

  2. Review the output for the IAMDatabaseAuthentication field. If it shows enabled, IAM authentication is active.

  3. To enable IAM authentication for an existing RDS instance, run:

    aws rds modify-db-instance --db-instance-identifier <instance-id> --enable-iam-database-authentication --apply-immediately

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. Select the RDS instance you want to configure IAM authentication for.

  3. In the Connectivity & Security section, click Modify.

  4. Scroll down to the IAM Database Authentication setting and select Enable.

  5. Save the changes and apply them immediately, if required.

Using AWS CLI:

  1. To enable IAM authentication for an RDS instance, run:

    aws rds modify-db-instance --db-instance-identifier <instance-id> --enable-iam-database-authentication --apply-immediately

  2. To verify the modification, run:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,IAMDatabaseAuthentication:IAMDatabaseAuthentication}'

Backout Plan:

Using AWS Console:

  1. If enabling IAM authentication causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB instance, and click Modify.

  3. Uncheck the Enable IAM DB authentication option.

  4. Save the changes, and IAM authentication will be disabled.

Using AWS CLI:

  1. To disable IAM authentication, run the following command:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --no-enable-iam-database-authentication --apply-immediately

  2. Verify that IAM authentication has been disabled:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.