IAM database auth not enabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > IAM database auth not enabled

Metadata

Id: 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184

Cloud Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Encryption

Learn More

Provider Reference

Description

Amazon RDS instances should have IAM database authentication enabled for engines and versions that support it to avoid embedding long‑lived database credentials in application code or configuration and to enable centralized credential management and rotation.

For CloudFormation, the EnableIAMDatabaseAuthentication property on AWS::RDS::DBInstance must be defined and set to true when the template’s Engine, EngineVersion, and DBInstanceClass indicate IAM authentication compatibility. Resources missing EnableIAMDatabaseAuthentication or with EnableIAMDatabaseAuthentication set to false will be flagged.

Secure configuration example:

MyDBInstance:
  Type: AWS::RDS::DBInstance
  Properties:
    Engine: mysql
    EngineVersion: "8.0"
    DBInstanceClass: db.t3.medium
    EnableIAMDatabaseAuthentication: true

Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
  SourceDBInstanceIdentifier:
    Type: String
  DBInstanceType:
    Type: String
  SourceRegion:
    Type: String
Resources:
  MyDBSmall:
    Type: "AWS::RDS::DBInstance"
    Properties:
      DBInstanceClass: !Ref DBInstanceType
      SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
      SourceRegion: !Ref SourceRegion
      DeletionProtection: false
      KmsKeyId: !Ref MyKey
      EnableIAMDatabaseAuthentication: true

AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
  SourceDBInstanceIdentifier:
    Type: String
  DBInstanceType:
    Type: String
  SourceRegion:
    Type: String
Resources:
  MyDBSmall:
    Type: "AWS::RDS::DBInstance"
    Properties:
      DBInstanceClass: db.t2.small
      SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
      SourceRegion: !Ref SourceRegion
      DeletionProtection: false
      KmsKeyId: !Ref MyKey
      EnableIAMDatabaseAuthentication: false
      Engine: mariadb
      EngineVersion: 10.2.43

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "RDS Storage Encrypted",
  "Parameters": {
      "SourceDBInstanceIdentifier": {
          "Type": "String"
      },
      "DBInstanceType": {
          "Type": "String"
      },
      "SourceRegion": {
          "Type": "String"
      }
  },
  "Resources": {
      "MyDBSmall": {
          "Type": "AWS::RDS::DBInstance",
          "Properties": {
              "DBInstanceClass": {
                  "Ref": "DBInstanceType"
              },
              "SourceDBInstanceIdentifier": {
                  "Ref": "SourceDBInstanceIdentifier"
              },
              "SourceRegion": {
                  "Ref": "SourceRegion"
              },
              "KmsKeyId": {
                  "Ref": "MyKey"
              },
              "EnableIAMDatabaseAuthentication" : true
          }
      }
  }
}

Non-Compliant Code Examples

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "RDS Storage Encrypted",
  "Parameters": {
    "SourceDBInstanceIdentifier": {
      "Type": "String"
    },
    "DBInstanceType": {
      "Type": "String"
    },
    "SourceRegion": {
      "Type": "String"
    }
  },
  "Resources": {
    "MyDBSmall": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "DBInstanceClass": {
          "Ref": "DBInstanceType"
        },
        "SourceDBInstanceIdentifier": {
          "Ref": "SourceDBInstanceIdentifier"
        },
        "SourceRegion": {
          "Ref": "SourceRegion"
        },
        "KmsKeyId": {
          "Ref": "MyKey"
        },
        "EnableIAMDatabaseAuthentication": false,
        "Engine": "mysql"
      }
    }
  }
}

AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
  SourceDBInstanceIdentifier:
    Type: String
  DBInstanceType:
    Type: String
  SourceRegion:
    Type: String
Resources:
  MyDBSmall:
    Type: "AWS::RDS::DBInstance"
    Properties:
      DBInstanceClass: db.r3.xlarge
      SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
      SourceRegion: !Ref SourceRegion
      DeletionProtection: false
      KmsKeyId: !Ref MyKey
      Engine: mysql

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "RDS Storage Encrypted",
  "Parameters": {
    "SourceDBInstanceIdentifier": {
      "Type": "String"
    },
    "DBInstanceType": {
      "Type": "String"
    },
    "SourceRegion": {
      "Type": "String"
    }
  },
  "Resources": {
    "MyDBSmall": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "DBInstanceClass": {
          "Ref": "DBInstanceType"
        },
        "SourceDBInstanceIdentifier": {
          "Ref": "SourceDBInstanceIdentifier"
        },
        "SourceRegion": {
          "Ref": "SourceRegion"
        },
        "KmsKeyId": {
          "Ref": "MyKey"
        },
        "Engine": "mysql"
      }
    }
  }
}