IAM Database Auth Not Enabled
- Query id: 0ed012a4-9199-43d2-b9e4-9bd049a48aa4
- Query name: IAM Database Auth Not Enabled
- Platform: Ansible
- Severity: High
- Category: Encryption
- URL: Github
Description¶
IAM Database Auth Enabled should be configured to true when using compatible engine and version
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group
community.aws.rds_instance:
engine: mysql
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t2.small
password: "{{ password }}"
username: "{{ username }}"
cluster_id: ansible-test-cluster
enable_iam_database_authentication: "No"
- name: Create a DB instance using the default AWS KMS encryption key
community.aws.rds_instance:
id: test-encrypted-db
state: present
engine: mariadb
storage_encrypted: True
db_instance_class: db.t2.medium
username: "{{ username }}"
password: "{{ password }}"
allocated_storage: "{{ allocated_storage }}"
enable_iam_database_authentication: false
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: create minimal aurora instance in default VPC and default subnet group
community.aws.rds_instance:
engine: aurora
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t2.small
password: '{{ password }}'
username: '{{ username }}'
cluster_id: ansible-test-cluster
enable_iam_database_authentication: true
- name: Create a DB instance using the default AWS KMS encryption key
community.aws.rds_instance:
id: test-encrypted-db
state: present
engine: mariadb
storage_encrypted: true
db_instance_class: db.t2.medium
username: '{{ username }}'
password: '{{ password }}'
allocated_storage: '{{ allocated_storage }}'
enable_iam_database_authentication: true
- name: remove the DB instance without a final snapshot
community.aws.rds_instance:
id: '{{ instance_id }}'
state: absent
skip_final_snapshot: true
enable_iam_database_authentication: true
- name: remove the DB instance with a final snapshot
community.aws.rds_instance:
id: '{{ instance_id }}'
state: absent
final_snapshot_identifier: '{{ snapshot_id }}'
enable_iam_database_authentication: true
- name: create minimal aurora instance in default VPC and default subnet group
community.aws.rds_instance:
engine: aurora
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t2.small
password: "{{ password }}"
username: "{{ username }}"
cluster_id: ansible-test-cluster
enable_iam_database_authentication: "No"
- name: create minimal aurora instance in default VPC and default subnet group
community.aws.rds_instance:
engine: mariadb
engine_version: 10.2.43
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t2.small
password: "{{ password }}"
username: "{{ username }}"
cluster_id: ansible-test-cluster