Amazon RDS

RDS IAM Database Authentication Disabled

This plugin ensures IAM Database Authentication is enabled for RDS database instances to manage database access.

Risk Level: High

Description

This plugin ensures IAM Database Authentication is enabled for RDS database instances to manage database access. The RDS database can have various authentication methods. AWS IAM authentication is the most secure way to gain admin rights. It is highly recommended to use AWS Identity and Access Management (IAM) to authenticate to your RDS DB instances.

About the Service

Amazon RDS: Amazon RDS is a scalable relational database service for the cloud. It provides a fast, secure and highly scalable database server. As explained by the AWS docs, Amazon RDS is a managed relational database service that provides you six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL.

Impact

IAM Authentication is available for MySQL and PostgreSQL databases. Using this option, admins can access the database with an authentication token generated by RDS and not the password. IAM database authentication provides an additional security layer as the network traffic is encrypted with SSL or TLS. It also eradicates the risk of brute force attack, which can result in complete exposure of your data to the attacker.  

Steps to Reproduce

Using AWS Console-
  1. Log In to your AWS Console.
  2. Open the Amazon RDS Console. You can use this link (https://console.aws.amazon.com/rds/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Databases from the left panel.
  4. A list of databases will be displayed. Select the database you want to examine by clicking on it’s DB Identifier.
  5. Move to the Configurations tab.
  6. In the Availability section, scroll down to find IAM DB Authentication. If it is disabled, the vulnerability exists.
  7. Repeat steps 3 to 6 for all the database instances you wish to examine.

Steps for Remediation

Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.

  1. Log In to your AWS Console.
  2. Open the Amazon RDS Console. You can use this link (https://console.aws.amazon.com/rds/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Databases from the left panel.
  4. A list of databases will be displayed. Select the vulnerable database by clicking on it’s DB Identifier.
  5. Click on Modify from the top-right corner.
  6. In the Database and Authentication section, enable the Password and IAM Authentication option. Click on Continue to apply the changes.
  7. Repeat steps 3 to 6 for all the vulnerable database instances.