--- title: IAM database auth not enabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > IAM database auth not enabled --- # IAM database auth not enabled {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-iam-database-auth-not-enabled` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled) ### Description{% #description %} When provisioning an AWS RDS instance with Terraform, the `iam_database_authentication_enabled` attribute determines whether IAM database authentication is enabled. Failing to set `iam_database_authentication_enabled = true` on a compatible database engine means the database will rely solely on traditional static username and password authentication, increasing the risk of credential compromise and making access control harder to manage centrally. Enabling this attribute, as shown below, leverages AWS IAM to enforce strong authentication and fine-grained, auditable access policies: ``` resource "aws_db_instance" "example" { // ...other configuration... iam_database_authentication_enabled = true } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_db_instance" "negative1" { allocated_storage = 20 storage_type = "gp2" engine = "mysql" engine_version = "5.7" instance_class = "db.t2.micro" name = "mydb" username = "foo" password = "foobarbaz" iam_database_authentication_enabled = true } ``` ```terraform module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" identifier = "demodb" engine = "mysql" engine_version = "5.7.19" instance_class = "db.t2.large" allocated_storage = 5 name = "demodb" username = "user" password = "YourPwdShouldBeLongAndSecure!" port = "3306" iam_database_authentication_enabled = true vpc_security_group_ids = ["sg-12345678"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically monitoring_interval = "30" monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { Owner = "user" Environment = "dev" } # DB subnet group subnet_ids = ["subnet-12345678", "subnet-87654321"] # DB parameter group family = "mysql5.7" # DB option group major_engine_version = "5.7" # Database Deletion Protection deletion_protection = true parameters = [ { name = "character_set_client" value = "utf8mb4" }, { name = "character_set_server" value = "utf8mb4" } ] options = [ { option_name = "MARIADB_AUDIT_PLUGIN" option_settings = [ { name = "SERVER_AUDIT_EVENTS" value = "CONNECT" }, { name = "SERVER_AUDIT_FILE_ROTATIONS" value = "37" }, ] }, ] } ``` ```terraform module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" identifier = "demodb" engine = "aurora" engine_version = "11.10" instance_class = "db.t2.small" allocated_storage = 5 name = "demodb" username = "user" port = "3306" vpc_security_group_ids = ["sg-12345678"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically monitoring_interval = "30" monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { Owner = "user" Environment = "dev" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" engine = "mysql" engine_version = "8.0" instance_class = "db.t2.micro" name = "mydb" username = "foo" password = "foobarbaz" iam_database_authentication_enabled = false } ``` ```terraform resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" engine = "mysql" engine_version = "8.0" instance_class = "db.t2.micro" name = "mydb" username = "foo" password = "foobarbaz" } ``` ```terraform module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" identifier = "demodb" engine = "mysql" engine_version = "8.0" instance_class = "db.t2.large" allocated_storage = 5 name = "demodb" username = "user" password = "YourPwdShouldBeLongAndSecure!" port = "3306" vpc_security_group_ids = ["sg-12345678"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically monitoring_interval = "30" monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { Owner = "user" Environment = "dev" } # DB subnet group subnet_ids = ["subnet-12345678", "subnet-87654321"] # DB parameter group family = "mysql5.7" # DB option group major_engine_version = "5.7" # Database Deletion Protection deletion_protection = true parameters = [ { name = "character_set_client" value = "utf8mb4" }, { name = "character_set_server" value = "utf8mb4" } ] options = [ { option_name = "MARIADB_AUDIT_PLUGIN" option_settings = [ { name = "SERVER_AUDIT_EVENTS" value = "CONNECT" }, { name = "SERVER_AUDIT_FILE_ROTATIONS" value = "37" }, ] }, ] } ```