IAM DB Cluster Auth Not Enabled

• Query id: 228497f6-414f-41c8-9113-f36a2b1b7975
• Query name: IAM DB Cluster Auth Not Enabled
• Platform: Terraform
• Severity: Medium
• Category: Access Control
• CWE: 311
• Risk score: 3.0
• URL: Github

Description

IAM Authentication should be enabled to verify the access of users and applications to your databases by enabling IAM policies and multi-factor authentication. This is a safety measure to ensure the protection of newly created databases without the proper IAM policies or in the change of policies in existing databases.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_rds_cluster" "positive1" {
  cluster_identifier = "example-cluster"

  engine         = "aurora-mysql"
  engine_version = "8.0.mysql_aurora.3.05.2"

  master_username = "username"
  master_password = "password123!"

  iam_database_authentication_enabled = false

  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

  skip_final_snapshot = true
}

Positive test num. 2 - tf file

resource "aws_rds_cluster" "example_postgres" {
  cluster_identifier = "example-postgres-cluster"

  engine         = "postgres"

  master_username = "dbadmin"
  master_password = "StrongPassword123!"

  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

  skip_final_snapshot = true
}

Positive test num. 3 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "aurora-mysql"
  engine_version = "8.0.mysql_aurora.3.05.2"

  iam_database_authentication_enabled = false

  skip_final_snapshot = true
}

Positive test num. 4 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "aurora-mysql"
  engine_version = "8.0.mysql_aurora.3.05.2"

  skip_final_snapshot = true
}

Positive test num. 5 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "mysql"

  skip_final_snapshot = true
}

Positive test num. 6 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "mysql"
  iam_database_authentication_enabled = false

  skip_final_snapshot = true
}

Positive test num. 7 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "mariadb"
  engine_version = "10.11"

  iam_database_authentication_enabled = false

  skip_final_snapshot = true
}

Positive test num. 8 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "mariadb"
  engine_version = "10.11"

  skip_final_snapshot = true
}

Positive test num. 9 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "postgres"
  engine_version = "15.5"

  iam_database_authentication_enabled = false

  skip_final_snapshot = true
}

Positive test num. 10 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "postgres"
  engine_version = "15.5"

  skip_final_snapshot = true
}

Positive test num. 11 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "postgres"

  iam_database_authentication_enabled = false

  skip_final_snapshot = true
}

Positive test num. 12 - tf file

resource "aws_rds_cluster" "positive2" {
  cluster_identifier = "example-cluster"

  engine         = "aurora-mysql"
  engine_version = "8.0.mysql_aurora.3.05.2"

  master_username = "username"
  master_password = "password123!"

  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

  skip_final_snapshot = true
}

Positive test num. 13 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "postgres"
  skip_final_snapshot = true
}

Positive test num. 14 - tf file

resource "aws_rds_cluster" "positive3" {
  cluster_identifier = "mysql-no-version"
  engine             = "mysql"

  master_username = "user"
  master_password = "pass1234!"

  # intentionally omit iam_database_authentication_enabled
  skip_final_snapshot = true
}

Positive test num. 15 - tf file

resource "aws_rds_cluster" "positive4" {
  cluster_identifier = "mysql-no-version"
  engine             = "mysql"

  master_username = "user"
  master_password = "pass1234!"

  iam_database_authentication_enabled = false
  skip_final_snapshot = true
}

Positive test num. 16 - tf file

resource "aws_rds_cluster" "positive5" {
  cluster_identifier = "mariadb-with-version"
  engine             = "mariadb"
  engine_version     = "10.11"

  master_username = "user"
  master_password = "pass1234!"

  iam_database_authentication_enabled = false
  skip_final_snapshot = true
}

Positive test num. 17 - tf file

resource "aws_rds_cluster" "positive6" {
  cluster_identifier = "mariadb-with-version"
  engine             = "mariadb"
  engine_version     = "10.11"

  master_username = "user"
  master_password = "pass1234!"

  skip_final_snapshot = true
}

Positive test num. 18 - tf file

resource "aws_rds_cluster" "example_postgres" {
  cluster_identifier = "example-postgres-cluster"

  engine         = "postgres"
  engine_version = "15.5" 

  master_username = "dbadmin"
  master_password = "StrongPassword123!"

  iam_database_authentication_enabled = false

  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

  skip_final_snapshot = true
}

Positive test num. 19 - tf file

resource "aws_rds_cluster" "example_postgres" {
  cluster_identifier = "example-postgres-cluster"

  engine         = "postgres"
  engine_version = "15.5" 

  master_username = "dbadmin"
  master_password = "StrongPassword123!"

  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

  skip_final_snapshot = true
}

Positive test num. 20 - tf file

resource "aws_rds_cluster" "example_postgres" {
  cluster_identifier = "example-postgres-cluster"

  engine         = "postgres"

  master_username = "dbadmin"
  master_password = "StrongPassword123!"

  iam_database_authentication_enabled = false

  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

  skip_final_snapshot = true
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_rds_cluster" "negative1" {
  cluster_identifier = "example-cluster"

  engine         = "aurora-mysql"
  engine_version = "8.0.mysql_aurora.3.05.2"

  master_username = "username"
  master_password = "password123!"

  iam_database_authentication_enabled = true

  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

  skip_final_snapshot = true
}

Negative test num. 2 - tf file

resource "aws_rds_cluster" "negative1" {
  cluster_identifier = "example-cluster"

  engine         = "mariadb"
  engine_version = "10.5"

  master_username = "username"
  master_password = "password123!"

  iam_database_authentication_enabled = false

  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

  skip_final_snapshot = true
}

Negative test num. 3 - tf file

resource "aws_rds_cluster" "example_postgres" {
  cluster_identifier = "example-postgres-cluster"

  engine         = "postgres"
  engine_version = "15.5" 

  master_username = "dbadmin"
  master_password = "StrongPassword123!"

  iam_database_authentication_enabled = true

  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

  skip_final_snapshot = true
}

Negative test num. 4 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "aurora-mysql"
  engine_version = "8.0.mysql_aurora.3.05.2"

  iam_database_authentication_enabled = true

  skip_final_snapshot = true
}

Negative test num. 5 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "mariadb"
  engine_version = "10.5"

  iam_database_authentication_enabled = false

  skip_final_snapshot = true
}

Negative test num. 6 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "postgres"
  engine_version = "15.5"

  iam_database_authentication_enabled = true

  skip_final_snapshot = true
}

Negative test num. 7 - tf file

resource "aws_rds_cluster" "negative7" {
  cluster_identifier = "example-cluster"

  engine         = "unsupported_engine"
  engine_version = "10.0"

  master_username = "username"
  master_password = "password123!"

  iam_database_authentication_enabled = false

  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

  skip_final_snapshot = true
}

Negative test num. 8 - tf file

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds/aws"
  version = "latest"

  identifier = "demodb"

  engine         = "unsupported_engine"
  engine_version = "10.0"

  iam_database_authentication_enabled = false

  skip_final_snapshot = true
}