Vendor services misconfigurations

RDS database instance has IAM database authentication disabled

Risk Level

Informational (4)

Platform(s)

Description

The IAM database authentication feature is disabled for the RDS instance {AwsRdsDbInstance}. With the feature enabled, AWS RDS generates a short-lived (expires after 15 minutes) token against every authentication request. This means that users don’t have to store or manage passwords. The feature also supports traffic encryption and central credential management. To uphold high levels of data security, it’s recommended to enable this feature.
  • Recommended Mitigation

    Enable the IAM database authentication feature for all RDS instances, and use it to its fullest. Prefer token-based authentication over passwords, use in-transit encryption, and use AWS IAM to centrally control access to your RDS instances.