Profile Applicability:

  • Level 1

Description:
AWS Identity and Access Management (IAM) helps manage access to AWS resources. While IAM roles cannot be directly associated with Amazon Aurora instances, they can be used to control management permissions over Amazon RDS resources by assigning roles and policies to IAM users or groups.

Rationale:
 Creating IAM roles and policies allows precise permission management. This determines the allowed and restricted actions of an identity or instance, following the principle of least privilege.

Impact:
 Without proper IAM roles, managing access to AWS database resources becomes difficult, potentially leading to unauthorized access or operational overhead.

Default Value:
 No IAM roles or policies are created by default for RDS unless explicitly configured.

Pre-requisites:

  • AWS account

  • Access to IAM dashboard

  • IAM administrative privileges

Remediation:

Test Plan

Using AWS Console:

  1. Sign in to AWS Management Console

  2. Navigate to IAM Dashboard

  3. Click on “Roles” → “Create Role”

  4. Choose “RDS” as the service and click “Next: Permissions”

  5. Verify appropriate policies like AmazonRDSFullAccess are attached

  6. Click through “Tags” (optional) and “Review” the role

  7. Confirm role creation

  8. Navigate to “Policies” → verify if a custom policy exists for RDS access

  9. Confirm roles are attached to IAM users or groups

Using AWS CLI:

  1. List existing IAM roles

     aws iam list-roles


  2. Get details of a specific role

     aws iam get-role --role-name <role-name>


  3. List attached policies for a role

     aws iam list-attached-role-policies --role-name <role-name>


  4. List IAM users and groups

     aws iam list-users
 aws iam list-groups


  5. Get policies attached to users or groups

     aws iam list-user-policies --user-name <username>
 aws iam list-group-policies --group-name <groupname>


Implementation Plan

Using AWS Console:

  1. Sign in to AWS Console

  2. Go to IAM → Roles → Create Role

  3. Select AWS service → choose “RDS”

  4. Attach a policy like AmazonRDSFullAccess

  5. Optionally add tags

  6. Name and review the role → click “Create Role”

  7. (Optional) Go to IAM → Policies → Create Policy

  8. Use visual or JSON editor → define permissions → click “Create Policy”

  9. Attach custom policy to the IAM role

  10. Go to IAM Users/Groups → Add Permissions → Attach Role/Policy

Using AWS CLI:

  1. Create a role with a trust policy

    aws iam create-role --role-name RDSRole --assume-role-policy-document file://trust-policy.json


  2. Attach AWS managed policy to the role

     aws iam attach-role-policy --role-name RDSRole --policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess


  3. Create a custom policy

     aws iam create-policy --policy-name CustomRDSPolicy --policy-document file://custom-policy.json


  4. Attach the custom policy to a user

    aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/CustomRDSPolicy


Backout Plan

Using AWS Console:

  1. Go to IAM → Roles

  2. Select the created role → Delete role

  3. Go to IAM → Policies → Delete custom policy if created

  4. Go to IAM Users/Groups → Detach role or policy from users/groups

Using AWS CLI:

  1. Detach the custom policy from user

    aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/CustomRDSPolicy


  2. Delete the custom policy

    aws iam delete-policy --policy-arn arn:aws:iam::<account-id>:policy/CustomRDSPolicy


  3. Delete the role

     aws iam delete-role --role-name RDSRole


References: