Enabling the IAM Database Authentication feature for your MySQL/PostgreSQL database instances can provide numerous advantages, such as in-transit encryption that secures the network traffic to and from the database instances using SSL. Additionally, this feature allows for centralized management of database access using AWS IAM, instead of managing access individually for each database instance, which enhances security. For web applications running on Amazon EC2, you can also use IAM profile credentials specific to each EC2 instance to access the associated database, instead of using passwords. It's important to note that enabling IAM Database Authentication for MySQL and PostgreSQL database instances does not disable the authentication method using passwords. You still have the option to use standard database authentication. To ensure that IAM Database Authentication is enabled, use the AWS Identity and Access Management (IAM) service to manage database access to your Amazon RDS MySQL and PostgreSQL instances. With this feature enabled, you can connect to your MySQL/PostgreSQL database instances using an authentication token instead of a password. An authentication token is a unique string of characters that AWS RDS generates upon your request, with a lifetime of 15 minutes. This feature eliminates the need to store user credentials within the database configuration, as authentication is managed externally using AWS IAM.
To ensure that IAM Database Authentication is enabled for your RDS instances, you can follow these remediation steps:
You can also enable IAM Database Authentication when you create a new RDS instance by selecting "Yes" for "IAM Database Authentication" under the "Additional Configuration" section.
After enabling IAM Database Authentication, ensure that you update your database access controls to use IAM roles instead of user credentials. This can be done by creating an IAM policy that allows the required actions for your RDS instances and attaching it to an IAM role. Then, assign this IAM role to your EC2 instances or application services that need to access the RDS instances.