AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
IAM DB authentication Should Be Enabled
More Info:
IAM Database Authentication feature should be enabled in order to use AWS Identity and Access Management (IAM) service to manage database access to your Amazon RDS MySQL and PostgreSQL instances
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration of IAM DB authentication not being enabled for AWS RDS using the AWS console, follow these steps:
-
Login to AWS Console: Go to the AWS Management Console and login with your credentials.
-
Navigate to RDS Service: From the console dashboard, navigate to the RDS service by clicking on the “Services” dropdown and selecting “RDS” under the Database category.
-
Select the RDS Instance: In the RDS dashboard, select the RDS instance for which you want to enable IAM DB authentication.
-
Modify the Instance: Click on the instance name to open the instance details. Then, click on the “Modify” button to make changes to the instance settings.
-
Enable IAM DB Authentication: Scroll down to the “Additional configuration” section in the Modify DB Instance page. Look for the “IAM DB authentication” option and set it to “Enable” by checking the box next to it.
-
Apply the Changes: Scroll to the bottom of the page and click on the “Continue” button to proceed with modifying the instance.
-
Review and Apply Changes: Review the changes you are about to make and click on the “Modify DB Instance” button to apply the changes.
-
Verify IAM DB Authentication: Once the modification is complete, go back to the RDS instance details page and verify that IAM DB authentication is now enabled for the instance.
By following these steps, you have successfully remediated the misconfiguration of IAM DB authentication not being enabled for the AWS RDS instance using the AWS console.
To remediate the misconfiguration of IAM DB authentication not being enabled for an AWS RDS instance using the AWS CLI, follow these steps:
- Enable IAM DB Authentication using the AWS CLI:
aws rds modify-db-instance \
--db-instance-identifier <your-db-instance-identifier> \
--enable-iam-database-authentication
Replace <your-db-instance-identifier> with the identifier of your RDS instance.
- Check the status of IAM DB Authentication:
aws rds describe-db-instances \
--db-instance-identifier <your-db-instance-identifier> \
--query 'DBInstances[0].[IAMDatabaseAuthenticationEnabled]'
This command will return true if IAM DB Authentication is successfully enabled.
-
Verify IAM DB Authentication in AWS Management Console:
- Go to the AWS Management Console and navigate to the RDS service.
- Select your RDS instance.
- In the “Configuration” section, verify that IAM DB Authentication is enabled.
By following these steps, you can successfully remediate the misconfiguration of IAM DB authentication not being enabled for an AWS RDS instance using the AWS CLI.
To enable IAM DB authentication for an AWS RDS instance using Python, you can use the AWS SDK for Python (Boto3). Follow these steps to remediate the misconfiguration:
- Install Boto3:
pip install boto3
- Create a Python script with the following code:
import boto3
# Specify the region where your RDS instance is located
region = 'us-east-1'
# Specify the identifier of your RDS instance
db_instance_identifier = 'your-db-instance-identifier'
# Create an RDS client
client = boto3.client('rds', region_name=region)
# Enable IAM DB authentication for the specified RDS instance
response = client.modify_db_instance(
DBInstanceIdentifier=db_instance_identifier,
EnableIAMDatabaseAuthentication=True
)
print(f"IAM DB authentication enabled for RDS instance {db_instance_identifier}")
-
Replace
'us-east-1'with the appropriate region where your RDS instance is located and'your-db-instance-identifier'with the actual identifier of your RDS instance. -
Run the Python script. This will enable IAM DB authentication for the specified RDS instance.
After executing the script, IAM DB authentication should be successfully enabled for your AWS RDS instance.