IAM Database Auth Not Enabled

  • Query id: 0ed012a4-9199-43d2-b9e4-9bd049a48aa4
  • Query name: IAM Database Auth Not Enabled
  • Platform: Ansible
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

IAM Database Auth Enabled should be configured to true when using compatible engine and version
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group
  community.aws.rds_instance:
    engine: mysql
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster
    enable_iam_database_authentication: "No"


- name: Create a DB instance using the default AWS KMS encryption key
  community.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    storage_encrypted: True
    db_instance_class: db.t2.medium
    username: "{{ username }}"
    password: "{{ password }}"
    allocated_storage: "{{ allocated_storage }}"
    enable_iam_database_authentication: false

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group
  community.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster
    enable_iam_database_authentication: true


- name: Create a DB instance using the default AWS KMS encryption key
  community.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    storage_encrypted: true
    db_instance_class: db.t2.medium
    username: '{{ username }}'
    password: '{{ password }}'
    allocated_storage: '{{ allocated_storage }}'
    enable_iam_database_authentication: true

- name: remove the DB instance without a final snapshot
  community.aws.rds_instance:
    id: '{{ instance_id }}'
    state: absent
    skip_final_snapshot: true
    enable_iam_database_authentication: true

- name: remove the DB instance with a final snapshot
  community.aws.rds_instance:
    id: '{{ instance_id }}'
    state: absent
    final_snapshot_identifier: '{{ snapshot_id }}'
    enable_iam_database_authentication: true

- name: create minimal aurora instance in default VPC and default subnet group
  community.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster
    enable_iam_database_authentication: "No"

- name: create minimal aurora instance in default VPC and default subnet group
  community.aws.rds_instance:
    engine: mariadb
    engine_version: 10.2.43
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster