Ensure RDS cluster has IAM authentication enabled

This enables you to authenticate to your DB cluster using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MariaDB, Aurora MySQL and Aurora PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB cluster. Instead, you use an authentication token. An authentication token is a unique string of characters that Amazon Aurora generates on request. Authentication tokens are generated using AWS Signature Version 4. Each token has a lifetime of 15 minutes. You don't need to store user credentials in the database, because authentication is managed externally using IAM

Risk Level: High
Cloud Entity: Amazon RDS DBCluster
CloudGuard Rule ID: D9.CFT.IAM.40
Covered by Spectral: Yes
Category: Database

GSL LOGIC

AWS_RDS_DBCluster should have EnableIAMDatabaseAuthentication=true

REMEDIATION

From CFT
Set AWS::RDS::DBCluster::EnableIAMDatabaseAuthentication to true.
See below example;

Resources:
RDSCluster:
Type: 'AWS::RDS::DBCluster'
Properties:
...

EnableIAMDatabaseAuthentication: true

...

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#cfn-rds-dbcluster-enableiamdatabaseauthentication
  2. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html

Amazon RDS DBCluster

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CloudFormation ruleset