Ensure that RDS IAM authentication is enabled

If IAM database authentication is disabled, authentication tokens are not used to connect to DB instance. Which means that users will connect to DB instance with password, which are less secure than temporary tokens which expire.

Risk Level: High
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.CFT.IAM.22
Covered by Spectral: Yes
Category: Database


AWS_RDS_DBInstance where Engine regexMatch /[mM][yY][sS][qQ][lL]/ or Engine regexMatch /[pP][oO][sS][tT][gG][rR][eE][sS]/ should have EnableIAMDatabaseAuthentication='true'


From CFT
Set AWS::RDS::DBInstance EnableIAMDatabaseAuthentication to 'true' if the database engine is MySQL or PostgreSQL


  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html#UsingWithRDS.IAMDBAuth.Availability
  2. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CloudFormation ruleset