iCompaas Support

Profile Applicability: 

• Level 1

Description:
 Regular rotation of Aurora DB instance passwords enhances access control and supports a secure authentication strategy. Amazon Aurora allows updating the master password for database instances through the RDS console.

Rationale:
 Frequent password updates reduce the risk of compromised credentials and ensure ongoing authorized access to AWS services and databases.

Impact:
 Frequent password rotation limits the window of opportunity for misuse in case credentials are leaked, thereby enhancing overall database security.

Default Value:
 There is no enforced default rotation policy; password management is manual unless configured otherwise.

Pre-requisites:

• AWS Management Console access with necessary IAM privileges
  

• Amazon Aurora DB instance running
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Go to the RDS Dashboard
   

3. Choose the target Aurora DB instance
   

4. Click on “Modify”
   

5. Scroll to the Settings section and view the current master password (if masked, consider rotation frequency instead)
   

6. Confirm that password rotation has been applied recently
   

Using AWS CLI:

1. List DB instances to identify the Aurora DB instance:
   

    aws rds describe-db-instances

   
   

2. Check the latest modification time for password change:

   aws rds describe-db-instances --query "DBInstances[*].{DBInstance:DBInstanceIdentifier,LastModifiedTime:LatestRestorableTime}"

   
   

Implementation Plan

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to the RDS Dashboard
   

3. Click on the Aurora DB instance
   

4. Choose “Modify”
   

5. In the Settings section, enter a new password in both Master password and Confirm password fields
   

6. Scroll to the bottom and choose to apply changes immediately or during the next maintenance window
   

7. Click Continue → Modify DB Instance
   

Using AWS CLI:

1. Run the following command to modify the DB instance and set a new password:
   

    aws rds modify-db-instance --db-instance-identifier <your-db-instance-identifier> --master-user-password <your-new-password> --apply-immediately

   
   

2. Verify that the modification is successful by checking instance status:

   aws rds describe-db-instances --db-instance-identifier <your-db-instance-identifier> --query "DBInstances[*].DBInstanceStatus"

   
   

Backout Plan

Using AWS Console:

1. If the password change causes issues, repeat the steps above and reset it to the old password if available
   

2. Ensure you apply changes during the next maintenance window to prevent service disruption
   

Using AWS CLI:

1. Reset to previous password using:

   aws rds modify-db-instance --db-instance-identifier <your-db-instance-identifier> --master-user-password <previous-password> --apply-immediately

   
   

2. Monitor for DB instance status to become available
   

References:

• AWS RDS Documentation
  

• CIS Controls v8: 5.2 Use Unique Passwords
  

• CIS Controls v7: 4.4 Use Unique Passwords