iCompaas Support

Profile Applicability:

• Level 1

Description:
Access control and authentication mechanisms ensure that only authorized users or services can access AWS-managed database services. This can be enforced using IAM-based policies or database-native credentials depending on the service.

Rationale:
 Strong access control and authentication reduce the risk of unauthorized access and data exposure. Implementing least privilege access and using identity-aware authentication enforces secure database interaction patterns.

Impact:
 Pros:

• Reduces unauthorized access risk
  

• Provides granular access management
  

• Supports audit and compliance needs
  

Cons:

• Misconfigured policies may block legitimate access
  

• Requires regular review and maintenance of IAM roles and permissions
  

Default Value:
 Most database services do not enforce access control or IAM authentication by default unless explicitly enabled.

Pre-requisites:

• IAM access to create/modify roles and policies
  

• Database engine that supports IAM or native authentication
  

• Knowledge of user roles and responsibilities
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to the target database service (e.g., Amazon RDS, DocumentDB)
   

3. Select the database instance or cluster
   

4. Go to the Connectivity & security or Configuration tab
   

5. Verify whether IAM authentication or database login user management is enabled
   

Using AWS CLI:

1. Describe the DB instance and check IAM authentication status:
   

   aws rds describe-db-instances --db-instance-identifier <your-db-instance-id> --query "DBInstances[*].IAMDatabaseAuthenticationEnabled"

2. List attached IAM policies for a user:
   

    aws iam list-attached-user-policies --user-name <user-name>

3. List DB users for Aurora/MySQL (if connected):
   

   SELECT user, host FROM mysql.user;

Implementation Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to Amazon RDS > Databases
   

3. Select the target DB instance and click Modify
   

4. Under Database authentication, enable IAM DB authentication
   

5. Apply the changes and reboot the instance if required
   

6. Go to IAM > Policies, create a policy allowing rds-db:connect on the DB resource
   

7. Attach the policy to the intended IAM user or role
   

8. Use the RDS Auth Token to connect securely
   

Using AWS CLI:

1. Enable IAM authentication on a DB instance:
   

   aws rds modify-db-instance --db-instance-identifier <your-db-instance-id> --enable-iam-database-authentication --apply-immediately

2. Create a new IAM policy for database access:
   

    aws iam create-policy --policy-name AllowRDSAccess --policy-document file://policy.json

3. Attach the policy to a user:
   

   aws iam attach-user-policy --user-name <user-name> --policy-arn arn:aws:iam::<account-id>:policy/AllowRDSAccess

4. (Optional) Generate an RDS Auth token to connect:
   

   aws rds generate-db-auth-token --hostname <db-endpoint> --port 3306 --username <db-user>

Backout Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to the RDS instance and click Modify
   

3. Disable IAM database authentication
   

4. Click Continue, then Apply Immediately
   

5. Detach IAM policies from users or roles as needed
   

Using AWS CLI:

1. Disable IAM DB authentication:
   

    aws rds modify-db-instance --db-instance-identifier <your-db-instance-id> --no-enable-iam-database-authentication --apply-immediately

2. Detach the policy from the user:
   

   aws iam detach-user-policy --user-name <user-name> --policy-arn arn:aws:iam::<account-id>:policy/AllowRDSAccess

3. (Optional) Delete the IAM policy:
   

    aws iam delete-policy --policy-arn arn:aws:iam::<account-id>:policy/AllowRDSAccess

References:

• AWS Identity and Access Management

• AmazonRDS