Skip to content

Ensure IAM Authentication Used for Cluster Access

Description

Checks whether or not IAM authentication is configured for access to an AWS RDS cluster. IAM database authentication is more secure than native authentication methods because of the following:

  • IAM database authentication tokens are generated using AWS access keys. Database user credentials will not need to be stored.
  • Authentication tokens have a lifespan of 15 minutes, (avoids repeated password resets).
  • IAM database authentication requires an SSL connection, so all data transmitted to and from your RDS DB instance is encrypted.

Rationale

Using IAM authentication allows for the use of time limited tokens granted by AWS to authenticate to that cluster, instead of storing password and user credentials. It also allows the ability to terminate cluster access to IAM users, allowing for simpler user management.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type cluster

Default Rule

const { isAwsRdsCluster, isAwsRdsClusterServerless } = aws

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if database instance has IAM authentication enabled
 */
function validate(databaseSettings) {
    const success = isAwsRdsCluster(databaseSettings) && (
                        isAwsRdsClusterServerless(databaseSettings) ||
                        databaseSettings.awsDatabaseInstance.rdsCluster.iamDatabaseAuthenticationEnabled
                    )

    return {
        success,
    }
}

// invoke
validate(databaseSettings);