Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
IAM database authentication should be enabled to avoid reliance on static database passwords and centralize access control. This reduces the risk of credential leakage and makes rotation and auditing easier.
For Ansible RDS resources using the amazon.aws.rds_instance or rds_instance modules, the enable_iam_database_authentication property must be defined and set to true. This check only applies to engines, engine versions, and instance types that support IAM authentication. The policy validates engine, engine_version, and instance_type. Resources where the property is missing or set to false are flagged.
Secure Ansible example:
- name:Create RDS instance with IAM auth enabledamazon.aws.rds_instance:db_instance_identifier:mydbengine:mysqlengine_version:"8.0"instance_type:db.t3.mediumenable_iam_database_authentication:true
Compliant Code Examples
- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:auroradb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:'{{ password }}'username:'{{ username }}'cluster_id:ansible-test-clusterenable_iam_database_authentication:true- name:Create a DB instance using the default AWS KMS encryption keyamazon.aws.rds_instance:db_instance_identifier:test-encrypted-dbid:test-encrypted-dbstate:presentengine:mariadbstorage_encrypted:truedb_instance_class:db.t2.mediumusername:'{{ username }}'password:'{{ password }}'allocated_storage:'{{ allocated_storage }}'enable_iam_database_authentication:true- name:remove the DB instance without a final snapshotamazon.aws.rds_instance:db_instance_identifier:test-db-remove-1id:'{{ instance_id }}'state:absentskip_final_snapshot:trueenable_iam_database_authentication:true- name:remove the DB instance with a final snapshotamazon.aws.rds_instance:db_instance_identifier:test-db-remove-2id:'{{ instance_id }}'state:absentfinal_snapshot_identifier:'{{ snapshot_id }}'enable_iam_database_authentication:true- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:auroradb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-clusterenable_iam_database_authentication:"No"- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:mariadbengine_version:10.2.43db_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-cluster
Non-Compliant Code Examples
- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:mysqldb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-clusterenable_iam_database_authentication:"No"- name:Create a DB instance using the default AWS KMS encryption keyamazon.aws.rds_instance:db_instance_identifier:test-encrypted-dbid:test-encrypted-dbstate:presentengine:mariadbstorage_encrypted:Truedb_instance_class:db.t2.mediumusername:"{{ username }}"password:"{{ password }}"allocated_storage:"{{ allocated_storage }}"enable_iam_database_authentication:false
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Commencer avec Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
