v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 10 IAM authentication should be configured for RDS instances

Description

This control checks whether an RDS DB instance has IAM database authentication enabled.

IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL.

Remediation

To remediate this issue, update your DB instance to enable IAM authentication.

To enable IAM authentication for an existing DB instance

  1. Open the Amazon RDS console.
  2. Choose Databases.
  3. Select the DB instance to modify.
  4. Choose Modify.
  5. Under Database options, choose Enable IAM DB authentication.
  6. Choose Continue.
  7. Under Scheduling of modifications, choose when to apply modifications. The options are Apply during the next scheduled maintenance window or Apply immediately.
  8. For clusters, choose Modify DB Instance.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_10

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_10 --share

SQL

This control uses a named query:

rds_db_instance_iam_authentication_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = passwordless_aauthentication
foundational_security_item_id = rds_10
plugin = aws
service = AWS/RDS