For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-iam-database-auth-not-enabled.md.
A documentation index is available at /llms.txt.
IAM database authentication should be enabled to avoid reliance on static database passwords and centralize access control. This reduces the risk of credential leakage and makes rotation and auditing easier.
For Ansible RDS resources using the amazon.aws.rds_instance or rds_instance modules, the enable_iam_database_authentication property must be defined and set to true. This check only applies to engines, engine versions, and instance types that support IAM authentication. The policy validates engine, engine_version, and instance_type. Resources where the property is missing or set to false are flagged.
Secure Ansible example:
- name:Create RDS instance with IAM auth enabledamazon.aws.rds_instance:db_instance_identifier:mydbengine:mysqlengine_version:"8.0"instance_type:db.t3.mediumenable_iam_database_authentication:true
Compliant Code Examples
- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:auroradb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:'{{ password }}'username:'{{ username }}'cluster_id:ansible-test-clusterenable_iam_database_authentication:true- name:Create a DB instance using the default AWS KMS encryption keyamazon.aws.rds_instance:db_instance_identifier:test-encrypted-dbid:test-encrypted-dbstate:presentengine:mariadbstorage_encrypted:truedb_instance_class:db.t2.mediumusername:'{{ username }}'password:'{{ password }}'allocated_storage:'{{ allocated_storage }}'enable_iam_database_authentication:true- name:remove the DB instance without a final snapshotamazon.aws.rds_instance:db_instance_identifier:test-db-remove-1id:'{{ instance_id }}'state:absentskip_final_snapshot:trueenable_iam_database_authentication:true- name:remove the DB instance with a final snapshotamazon.aws.rds_instance:db_instance_identifier:test-db-remove-2id:'{{ instance_id }}'state:absentfinal_snapshot_identifier:'{{ snapshot_id }}'enable_iam_database_authentication:true- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:auroradb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-clusterenable_iam_database_authentication:"No"- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:mariadbengine_version:10.2.43db_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-cluster
Non-Compliant Code Examples
- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:mysqldb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-clusterenable_iam_database_authentication:"No"- name:Create a DB instance using the default AWS KMS encryption keyamazon.aws.rds_instance:db_instance_identifier:test-encrypted-dbid:test-encrypted-dbstate:presentengine:mariadbstorage_encrypted:Truedb_instance_class:db.t2.mediumusername:"{{ username }}"password:"{{ password }}"allocated_storage:"{{ allocated_storage }}"enable_iam_database_authentication:false
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
