IAM Authentication Configuration Rule
This rule specifies the requirement for configuring IAM authentication for RDS clusters.
| Rule | IAM authentication should be configured for RDS clusters |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
IAM authentication should be configured for RDS clusters in order to comply with the security requirements of NIST 800-171 Revision 2. This rule ensures that only authorized users or services with appropriate IAM roles can access the RDS clusters, providing an additional layer of security and access control.
Troubleshooting Steps:
If IAM authentication is not enabled for RDS clusters, follow these troubleshooting steps to resolve the issue:
- 1.
Check if the RDS cluster is already enabled for IAM authentication:
- Navigate to the Amazon RDS Management Console.
- Select the desired RDS cluster.
- In the "Details" section, look for the "IAM Database Authentication" attribute.
- If it is set to "Disabled," IAM authentication is not yet configured.
- 2.
Enable IAM authentication for the RDS cluster:
- Click on the "Modify" button for the RDS cluster.
- Scroll down to the "Connectivity" section.
- In the "IAM Database Authentication" toggle, select "Enabled."
- Click on the "Continue" and "Modify cluster" buttons to save the changes.
- 3.
Verify IAM authentication for the RDS cluster:
- Once the modification is complete, check the "Details" section of the RDS cluster.
- Confirm that the "IAM Database Authentication" attribute is now set to "Enabled."
- 4.
Test IAM authentication:
- Access the RDS cluster using an Amazon RDS CLI or any other supported tool.
- Provide valid IAM credentials to authenticate and interact with the cluster.
- If successful, IAM authentication is functioning correctly.
Necessary Codes:
There are no specific codes required to enable IAM authentication for RDS clusters. The configuration can be done entirely through the Amazon RDS Management Console or via AWS CLI commands.
Step-by-Step Guide for Remediation:
- 1.
Enable IAM authentication for an RDS cluster using the AWS Management Console:
- Log in to the Amazon RDS Management Console.
- Navigate to the RDS service.
- Select the desired RDS cluster.
- Click on the "Modify" button.
- Scroll down to the "Connectivity" section.
- In the "IAM Database Authentication" toggle, select "Enabled."
- Click on the "Continue" and "Modify cluster" buttons to save the changes.
- 2.
Enable IAM authentication for an RDS cluster using AWS CLI:
- Open the AWS CLI or AWS Command Line Interface.
- Execute the following command to enable IAM authentication for the RDS cluster:
Replaceaws rds modify-db-cluster --db-cluster-identifier <cluster-identifier> --enable-iam-database-authentication
with the actual identifier of the RDS cluster.<cluster-identifier>
- 3.
Verify if IAM authentication is enabled:
- Once the modification is complete, go to the RDS cluster details in the console.
- Confirm that the "IAM Database Authentication" attribute is set to "Enabled."
- 4.
Test IAM authentication:
- Access the RDS cluster using an Amazon RDS CLI or any other supported tool.
- Provide valid IAM credentials to authenticate and interact with the cluster.
- Ensure that the authentication is successful and the desired operations can be performed.
By following these steps, IAM authentication can be successfully configured for RDS clusters, meeting the NIST 800-171 Revision 2 requirements.