For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-iam-database-auth-not-enabled.md. A documentation index is available at /llms.txt.

IAM database auth not enabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-iam-database-auth-not-enabled

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Encryption

Learn More

Description

Amazon RDS instances should have IAM database authentication enabled for engines and versions that support it to avoid embedding long‑lived database credentials in application code or configuration and to enable centralized credential management and rotation.

For CloudFormation, the EnableIAMDatabaseAuthentication property on AWS::RDS::DBInstance must be defined and set to true when the template’s Engine, EngineVersion, and DBInstanceClass indicate IAM authentication compatibility. Resources missing EnableIAMDatabaseAuthentication or with EnableIAMDatabaseAuthentication set to false will be flagged.

Secure configuration example:

MyDBInstance:
  Type: AWS::RDS::DBInstance
  Properties:
    Engine: mysql
    EngineVersion: "8.0"
    DBInstanceClass: db.t3.medium
    EnableIAMDatabaseAuthentication: true

Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
  SourceDBInstanceIdentifier:
    Type: String
  DBInstanceType:
    Type: String
  SourceRegion:
    Type: String
Resources:
  MyDBSmall:
    Type: "AWS::RDS::DBInstance"
    Properties:
      DBInstanceClass: !Ref DBInstanceType
      SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
      SourceRegion: !Ref SourceRegion
      DeletionProtection: false
      KmsKeyId: !Ref MyKey
      EnableIAMDatabaseAuthentication: true

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "RDS Storage Encrypted",
  "Parameters": {
      "SourceDBInstanceIdentifier": {
          "Type": "String"
      },
      "DBInstanceType": {
          "Type": "String"
      },
      "SourceRegion": {
          "Type": "String"
      }
  },
  "Resources": {
      "MyDBSmall": {
          "Type": "AWS::RDS::DBInstance",
          "Properties": {
              "DBInstanceClass": {
                  "Ref": "DBInstanceType"
              },
              "SourceDBInstanceIdentifier": {
                  "Ref": "SourceDBInstanceIdentifier"
              },
              "SourceRegion": {
                  "Ref": "SourceRegion"
              },
              "KmsKeyId": {
                  "Ref": "MyKey"
              },
              "EnableIAMDatabaseAuthentication" : true
          }
      }
  }
}

AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
  SourceDBInstanceIdentifier:
    Type: String
  DBInstanceType:
    Type: String
  SourceRegion:
    Type: String
Resources:
  MyDBSmall:
    Type: "AWS::RDS::DBInstance"
    Properties:
      DBInstanceClass: db.t2.small
      SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
      SourceRegion: !Ref SourceRegion
      DeletionProtection: false
      KmsKeyId: !Ref MyKey
      EnableIAMDatabaseAuthentication: false
      Engine: aurora

Non-Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
  SourceDBInstanceIdentifier:
    Type: String
  DBInstanceType:
    Type: String
  SourceRegion:
    Type: String
Resources:
  MyDBSmall:
    Type: "AWS::RDS::DBInstance"
    Properties:
      DBInstanceClass: db.r3.xlarge
      SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
      SourceRegion: !Ref SourceRegion
      DeletionProtection: false
      KmsKeyId: !Ref MyKey
      EnableIAMDatabaseAuthentication: false
      Engine: aurora

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "RDS Storage Encrypted",
  "Parameters": {
    "SourceDBInstanceIdentifier": {
      "Type": "String"
    },
    "DBInstanceType": {
      "Type": "String"
    },
    "SourceRegion": {
      "Type": "String"
    }
  },
  "Resources": {
    "MyDBSmall": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "DBInstanceClass": {
          "Ref": "DBInstanceType"
        },
        "SourceDBInstanceIdentifier": {
          "Ref": "SourceDBInstanceIdentifier"
        },
        "SourceRegion": {
          "Ref": "SourceRegion"
        },
        "KmsKeyId": {
          "Ref": "MyKey"
        },
        "EnableIAMDatabaseAuthentication": false,
        "Engine": "mysql"
      }
    }
  }
}

AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
  SourceDBInstanceIdentifier:
    Type: String
  DBInstanceType:
    Type: String
  SourceRegion:
    Type: String
Resources:
  MyDBSmall:
    Type: "AWS::RDS::DBInstance"
    Properties:
      DBInstanceClass: db.r3.xlarge
      SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
      SourceRegion: !Ref SourceRegion
      DeletionProtection: false
      KmsKeyId: !Ref MyKey
      Engine: mysql