Ensure IAM authentication is enabled for RDS DB instances.
Rule | RDS DB instances should have iam authentication enabled |
Framework | SOC 2 |
Severity | ✔ Medium |
Enabling IAM Authentication for RDS DB Instances for SOC 2 Compliance
Understanding IAM Authentication for RDS
IAM authentication enables authentication to database instances using AWS Identity and Access Management (IAM) credentials. For RDS instances running MySQL, PostgreSQL, and Amazon Aurora, it offers an alternative to conventional username/password authentication.
Benefits of IAM Authentication
Prerequisites
Step 1: Enable IAM Authentication for RDS DB Instance
Via AWS Management Console
Via AWS CLI
Execute the following AWS CLI command to modify the instance to use IAM authentication:
aws rds modify-db-instance \ --db-instance-identifier <db-instance-identifier> \ --enable-iam-database-authentication \ --apply-immediately
Replace
<db-instance-identifier>
with the actual DB instance identifier.Step 2: Create IAM Policy for Database Access
Create an IAM policy that grants the necessary permissions to authenticate with the RDS instance.
Via AWS Management Console
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:region:accountId:dbuser:dbi-resource-id/dbuserName"
]
}
]
}
region
, accountId
, dbi-resource-id
, and dbuserName
with your specific details.Via AWS CLI
Use the following command to create a new IAM policy:
aws iam create-policy \ --policy-name RDSIAMAuthPolicy \ --policy-document file://rds-auth-policy.json
Ensure
rds-auth-policy.json
contains the necessary policy JSON from above.Step 3: Attach IAM Policy to IAM User or Group
Once the policy is created, attach it to the IAM user or group that requires access to the RDS DB instance.
Via AWS Management Console
Via AWS CLI
To attach the policy to a user, use:
aws iam attach-user-policy \ --policy-arn <policy-arn> \ --user-name <user-name>
To attach to a group:
aws iam attach-group-policy \ --policy-arn <policy-arn> \ --group-name <group-name>
Replace
<policy-arn>
, <user-name>
, and <group-name>
with the appropriate values.Step 4: Enable Network Access to RDS Instance
Ensure the RDS instance is accessible from the network from which the IAM users will connect.
Troubleshooting Steps
IAM Authentication Not Working
Unable to Attach IAM Policy
By following these steps and troubleshooting guidelines, IAM Authentication can be enabled for AWS RDS DB instances to help meet SOC 2 compliance requirements. Remember to maintain best practices for security and compliance, review permissions regularly, and monitor logs for any unauthorized access attempts.