IAM Database Auth Not Enabled
- Query id: 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184
- Query name: IAM Database Auth Not Enabled
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
IAM Database Auth Enabled should be configured to true when using compatible engine and version
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyDBSmall:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: db.r3.xlarge
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
DeletionProtection: false
KmsKeyId: !Ref MyKey
EnableIAMDatabaseAuthentication: false
Engine: aurora
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "RDS Storage Encrypted",
"Parameters": {
"SourceDBInstanceIdentifier": {
"Type": "String"
},
"DBInstanceType": {
"Type": "String"
},
"SourceRegion": {
"Type": "String"
}
},
"Resources": {
"MyDBSmall": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceClass": {
"Ref": "DBInstanceType"
},
"SourceDBInstanceIdentifier": {
"Ref": "SourceDBInstanceIdentifier"
},
"SourceRegion": {
"Ref": "SourceRegion"
},
"KmsKeyId": {
"Ref": "MyKey"
},
"EnableIAMDatabaseAuthentication": false,
"Engine": "mysql"
}
}
}
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyDBSmall:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: db.r3.xlarge
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
DeletionProtection: false
KmsKeyId: !Ref MyKey
Engine: mysql
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "RDS Storage Encrypted",
"Parameters": {
"SourceDBInstanceIdentifier": {
"Type": "String"
},
"DBInstanceType": {
"Type": "String"
},
"SourceRegion": {
"Type": "String"
}
},
"Resources": {
"MyDBSmall": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceClass": {
"Ref": "DBInstanceType"
},
"SourceDBInstanceIdentifier": {
"Ref": "SourceDBInstanceIdentifier"
},
"SourceRegion": {
"Ref": "SourceRegion"
},
"KmsKeyId": {
"Ref": "MyKey"
},
"Engine": "mysql"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyDBSmall:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: !Ref DBInstanceType
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
DeletionProtection: false
KmsKeyId: !Ref MyKey
EnableIAMDatabaseAuthentication: true
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "RDS Storage Encrypted",
"Parameters": {
"SourceDBInstanceIdentifier": {
"Type": "String"
},
"DBInstanceType": {
"Type": "String"
},
"SourceRegion": {
"Type": "String"
}
},
"Resources": {
"MyDBSmall": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceClass": {
"Ref": "DBInstanceType"
},
"SourceDBInstanceIdentifier": {
"Ref": "SourceDBInstanceIdentifier"
},
"SourceRegion": {
"Ref": "SourceRegion"
},
"KmsKeyId": {
"Ref": "MyKey"
},
"EnableIAMDatabaseAuthentication" : true
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyDBSmall:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: db.t2.small
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
DeletionProtection: false
KmsKeyId: !Ref MyKey
EnableIAMDatabaseAuthentication: false
Engine: aurora
Negative test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyDBSmall:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: db.t2.small
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
DeletionProtection: false
KmsKeyId: !Ref MyKey
EnableIAMDatabaseAuthentication: false
Engine: mariadb
EngineVersion: 10.2.43