Enable IAM Database Authentication for RDS Instances
Overview
This check verifies that your Amazon RDS database instances have IAM database authentication enabled. IAM authentication lets you connect to supported databases (MySQL, MariaDB, and PostgreSQL) using temporary authentication tokens instead of passwords.
Risk
When IAM database authentication is disabled:
- Static passwords are required: Database credentials must be stored in application code, configuration files, or environment variables, increasing the risk of credential theft or accidental exposure.
- No centralized access control: You cannot use IAM policies to manage who can connect to the database, making it harder to audit and control access.
- Credential rotation is manual: Passwords must be rotated manually, whereas IAM tokens are automatically generated and expire after 15 minutes.
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify RDS instances, or AWS CLI configured with appropriate credentials
- The RDS instance must use a supported engine: MySQL, MariaDB, or PostgreSQL (including Aurora variants)
AWS Console Method
- Open the Amazon RDS console in us-east-1
- In the left navigation pane, choose Databases
- Select the database instance you want to modify
- Choose Modify from the top-right menu
- Scroll down to the Database authentication section
- Select Password and IAM database authentication
- Scroll to the bottom and choose Continue
- On the summary page, choose when to apply the change:
- Apply immediately - The change takes effect right away (may cause a brief interruption)
- Apply during the next scheduled maintenance window - Safer for production databases
- Choose Modify DB instance
Note: For Aurora clusters, you need to modify the cluster (not individual instances). Select the cluster, choose Modify, and follow the same steps.
AWS CLI (optional)
Enable IAM authentication on an existing RDS instance:
aws rds modify-db-instance \
--region us-east-1 \
--db-instance-identifier <your-db-instance-id> \
--enable-iam-database-authentication \
--apply-immediately
Replace <your-db-instance-id> with your actual database instance identifier.
For Aurora clusters, use the modify-db-cluster command instead:
aws rds modify-db-cluster \
--region us-east-1 \
--db-cluster-identifier <your-cluster-id> \
--enable-iam-database-authentication \
--apply-immediately
Important: Remove --apply-immediately if you prefer to apply changes during the next maintenance window.
CloudFormation (optional)
Use the following CloudFormation template to create an RDS instance with IAM database authentication enabled:
AWSTemplateFormatVersion: '2010-09-09'
Description: RDS instance with IAM database authentication enabled
Parameters:
DBInstanceIdentifier:
Type: String
Description: The database instance identifier
Default: my-database
DBInstanceClass:
Type: String
Description: The database instance class
Default: db.t3.micro
Engine:
Type: String
Description: The database engine
Default: mysql
AllowedValues:
- mysql
- postgres
- mariadb
MasterUsername:
Type: String
Description: The master username for the database
Default: admin
MasterUserPassword:
Type: String
Description: The master password for the database
NoEcho: true
AllocatedStorage:
Type: Number
Description: The allocated storage size in GB
Default: 20
DBSubnetGroupName:
Type: String
Description: The DB subnet group name
VPCSecurityGroupIds:
Type: List<AWS::EC2::SecurityGroup::Id>
Description: List of VPC security group IDs
Resources:
RDSInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Ref DBInstanceIdentifier
DBInstanceClass: !Ref DBInstanceClass
Engine: !Ref Engine
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
AllocatedStorage: !Ref AllocatedStorage
DBSubnetGroupName: !Ref DBSubnetGroupName
VPCSecurityGroups: !Ref VPCSecurityGroupIds
EnableIAMDatabaseAuthentication: true
PubliclyAccessible: false
StorageEncrypted: true
Outputs:
DBInstanceEndpoint:
Description: The connection endpoint for the database
Value: !GetAtt RDSInstance.Endpoint.Address
DBInstancePort:
Description: The port of the database
Value: !GetAtt RDSInstance.Endpoint.Port
The key property is EnableIAMDatabaseAuthentication: true.
To update an existing stack, add this property to your existing AWS::RDS::DBInstance resource and update the stack.
Terraform (optional)
Use the following Terraform configuration to create an RDS instance with IAM database authentication enabled:
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "db_instance_identifier" {
description = "The identifier for the RDS instance"
type = string
default = "my-database"
}
variable "db_instance_class" {
description = "The instance class for the RDS instance"
type = string
default = "db.t3.micro"
}
variable "engine" {
description = "The database engine to use"
type = string
default = "mysql"
}
variable "engine_version" {
description = "The engine version to use"
type = string
default = "8.0"
}
variable "allocated_storage" {
description = "The allocated storage in gigabytes"
type = number
default = 20
}
variable "db_username" {
description = "Username for the master DB user"
type = string
default = "admin"
}
variable "db_password" {
description = "Password for the master DB user"
type = string
sensitive = true
}
variable "db_subnet_group_name" {
description = "Name of DB subnet group"
type = string
}
variable "vpc_security_group_ids" {
description = "List of VPC security groups to associate"
type = list(string)
}
resource "aws_db_instance" "main" {
identifier = var.db_instance_identifier
instance_class = var.db_instance_class
engine = var.engine
engine_version = var.engine_version
allocated_storage = var.allocated_storage
username = var.db_username
password = var.db_password
db_subnet_group_name = var.db_subnet_group_name
vpc_security_group_ids = var.vpc_security_group_ids
# Enable IAM database authentication
iam_database_authentication_enabled = true
# Additional security best practices
publicly_accessible = false
storage_encrypted = true
skip_final_snapshot = true
tags = {
Name = var.db_instance_identifier
}
}
output "db_instance_endpoint" {
description = "The connection endpoint"
value = aws_db_instance.main.endpoint
}
output "db_instance_arn" {
description = "The ARN of the RDS instance"
value = aws_db_instance.main.arn
}
The key attribute is iam_database_authentication_enabled = true.
To update an existing resource, add this attribute to your existing aws_db_instance resource and run terraform apply.
Verification
After enabling IAM authentication, verify the setting:
- In the RDS console, select your database instance
- On the Configuration tab, look for IAM DB authentication
- Confirm it shows Enabled
CLI verification (optional)
aws rds describe-db-instances \
--region us-east-1 \
--db-instance-identifier <your-db-instance-id> \
--query 'DBInstances[0].IAMDatabaseAuthenticationEnabled'
This should return true.
Additional Resources
- IAM database authentication for MariaDB, MySQL, and PostgreSQL
- Connecting to your DB instance using IAM authentication
- Creating and using an IAM policy for IAM database access
- AWS Security Best Practices for Amazon RDS
Notes
- Supported engines only: IAM database authentication is only available for MySQL, MariaDB, and PostgreSQL engines (including Aurora variants). It is not available for SQL Server, Oracle, or Db2.
- SSL/TLS required: Connections using IAM authentication must use SSL/TLS encryption. Ensure your applications are configured to connect over SSL.
- Token lifetime: Authentication tokens are valid for 15 minutes. Applications should generate a new token for each connection or implement token refresh logic.
- Application changes required: After enabling IAM authentication, you need to update your applications to use IAM tokens instead of passwords. This requires code changes and appropriate IAM policies.
- No downtime for the change: Enabling IAM authentication does not require a database restart, but if you choose "Apply immediately," there may be a brief interruption while the setting is applied.