Control: 10 IAM authentication should be configured for RDS instances

Description

This control checks whether an RDS DB instance has IAM database authentication enabled.

IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL.

Remediation

To remediate this issue, update your DB instance to enable IAM authentication.

To enable IAM authentication for an existing DB instance

Open the Amazon RDS console.
Choose Databases.
Select the DB instance to modify.
Choose Modify.
Under Database options, choose Enable IAM DB authentication.
Choose Continue.
Under Scheduling of modifications, choose when to apply modifications. The options are Apply during the next scheduled maintenance window or Apply immediately.
For clusters, choose Modify DB Instance.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_10

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_10 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when iam_database_authentication_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when iam_database_authentication_enabled then title || ' IAM authentication enabled.'
    else title || ' IAM authentication not enabled.'
  end as reason
  
  , region, account_id
from
  aws_rds_db_instance;

Control: 10 IAM authentication should be configured for RDS instances

Description

Remediation

Usage

SQL

Tags