RDS Cluster IAM Authentication Enabled

Overview

This check verifies that your Amazon RDS database clusters have IAM database authentication enabled. With IAM authentication, you connect to your database using short-lived tokens instead of traditional passwords. This is supported on MySQL, MariaDB, PostgreSQL, and Aurora database engines.

Risk

Without IAM database authentication, your database relies on long-lived passwords that can be compromised. If credentials are stolen, attackers can maintain access until someone manually changes the password. With IAM authentication:

• Tokens expire after 15 minutes, limiting the window of opportunity for attackers
• Access can be revoked instantly through IAM policies
• No passwords are stored in application configuration files
• All authentication flows through AWS IAM, providing centralized access control and audit logging

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify RDS clusters
• The RDS cluster must use a supported engine: MySQL, MariaDB, PostgreSQL, or Aurora

Required IAM permissions

To enable IAM authentication, you need these IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:ModifyDBCluster",
        "rds:DescribeDBClusters"
      ],
      "Resource": "arn:aws:rds:us-east-1:<account-id>:cluster:<cluster-name>"
    }
  ]
}

AWS Console Method

1. Open the Amazon RDS console
2. In the navigation pane, choose Databases
3. Select the DB cluster you want to modify (click the cluster name, not an instance)
4. Choose Modify
5. Scroll to the Database authentication section
6. Select Password and IAM database authentication
7. Scroll to the bottom and choose Continue
8. Review your changes, select Apply immediately if needed
9. Choose Modify cluster

Note: Enabling IAM authentication does not require a restart and has no downtime.

AWS CLI (optional)

Enable IAM authentication on an existing cluster:

aws rds modify-db-cluster \
  --db-cluster-identifier <your-cluster-identifier> \
  --enable-iam-database-authentication \
  --apply-immediately \
  --region us-east-1

To verify the change was applied:

aws rds describe-db-clusters \
  --db-cluster-identifier <your-cluster-identifier> \
  --query 'DBClusters[0].IAMDatabaseAuthenticationEnabled' \
  --region us-east-1

This should return true.

CloudFormation (optional)

Use the EnableIAMDatabaseAuthentication property on your AWS::RDS::DBCluster resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: RDS Aurora cluster with IAM authentication enabled

Parameters:
  DBClusterIdentifier:
    Type: String
    Description: The identifier for the DB cluster
  MasterUsername:
    Type: String
    Description: The master username for the DB cluster
  VPCSecurityGroupId:
    Type: AWS::EC2::SecurityGroup::Id
    Description: Security group for the DB cluster
  DBSubnetGroupName:
    Type: String
    Description: The DB subnet group name

Resources:
  RDSCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      DBClusterIdentifier: !Ref DBClusterIdentifier
      Engine: aurora-mysql
      EngineVersion: '8.0.mysql_aurora.3.04.0'
      MasterUsername: !Ref MasterUsername
      ManageMasterUserPassword: true
      EnableIAMDatabaseAuthentication: true
      VpcSecurityGroupIds:
        - !Ref VPCSecurityGroupId
      DBSubnetGroupName: !Ref DBSubnetGroupName
      StorageEncrypted: true
      DeletionProtection: true
      Tags:
        - Key: Environment
          Value: Production

Outputs:
  ClusterEndpoint:
    Description: The connection endpoint for the DB cluster
    Value: !GetAtt RDSCluster.Endpoint.Address

Terraform (optional)

Set iam_database_authentication_enabled = true on your aws_rds_cluster resource:

variable "cluster_identifier" {
  description = "The identifier for the RDS cluster"
  type        = string
}

variable "master_username" {
  description = "Master username for the database"
  type        = string
}

variable "master_password" {
  description = "Master password for the database"
  type        = string
  sensitive   = true
}

variable "vpc_security_group_ids" {
  description = "List of VPC security group IDs"
  type        = list(string)
}

variable "db_subnet_group_name" {
  description = "Name of the DB subnet group"
  type        = string
}

resource "aws_rds_cluster" "main" {
  cluster_identifier                  = var.cluster_identifier
  engine                              = "aurora-mysql"
  engine_version                      = "8.0.mysql_aurora.3.04.0"
  master_username                     = var.master_username
  master_password                     = var.master_password
  iam_database_authentication_enabled = true
  vpc_security_group_ids              = var.vpc_security_group_ids
  db_subnet_group_name                = var.db_subnet_group_name
  storage_encrypted                   = true
  deletion_protection                 = true
  skip_final_snapshot                 = false
  final_snapshot_identifier           = "${var.cluster_identifier}-final-snapshot"

  tags = {
    Environment = "Production"
  }
}

output "cluster_endpoint" {
  description = "The connection endpoint for the cluster"
  value       = aws_rds_cluster.main.endpoint
}

Verification

After enabling IAM authentication, verify the setting is active:

1. In the RDS console, select your cluster
2. On the Configuration tab, look for IAM DB authentication
3. Confirm it shows Enabled

CLI verification

aws rds describe-db-clusters \
  --db-cluster-identifier <your-cluster-identifier> \
  --query 'DBClusters[0].{ClusterID:DBClusterIdentifier,IAMAuth:IAMDatabaseAuthenticationEnabled}' \
  --output table \
  --region us-east-1

Expected output:

------------------------------------------
|           DescribeDBClusters           |
+----------------+-----------------------+
|   ClusterID    |       IAMAuth         |
+----------------+-----------------------+
|  my-cluster    |  True                 |
+----------------+-----------------------+

Additional Resources

• IAM database authentication for MariaDB, MySQL, and PostgreSQL
• IAM database authentication for Aurora
• Creating and using an IAM policy for IAM database access
• Connecting to your DB cluster using IAM authentication

Notes

• Supported engines only: IAM authentication is available for MySQL 5.6+, MariaDB 10.3+, PostgreSQL 9.6+, and all Aurora MySQL/PostgreSQL versions
• Connection limits: IAM authentication creates a new connection for each authentication. There is a limit of 256 new connections per second for each DB instance
• TLS required: IAM authentication requires SSL/TLS connections to the database
• Token lifetime: Authentication tokens are valid for 15 minutes. Your application should generate a new token before connecting, not cache tokens long-term
• Existing passwords still work: Enabling IAM authentication does not disable password-based authentication. You can use both methods simultaneously while transitioning
• IAM policy required: After enabling IAM authentication on the cluster, you must also grant rds-db:connect permission to IAM users or roles that need database access