Json Yaml Missing Iam Authentication
Description
Identifies Amazon RDS database instances in CloudFormation templates that do not have IAM database authentication enabled. RDS instances without IAM authentication rely solely on password-based authentication, which can be less secure and harder to manage compared to IAM role-based access control.
Detection Strategy
• Check if resource type is AWS::RDS::DBInstance in CloudFormation template
• Verify if EnableIAMDatabaseAuthentication property is present and set to true
• Report a security finding if IAM authentication is not enabled on the RDS instance
• Skip resources that are not RDS database instances
Vulnerable code example
Resources:
MyInsecureDB:
Type: "AWS::RDS::DBInstance"
Properties:
EnableIAMDatabaseAuthentication: false # Vulnerable: IAM auth disabled explicitly
Engine: "mysql"
AnotherInsecureDB:
Type: "AWS::RDS::DBInstance"...✅ Secure code example
Resources:
MySecureDB:
Type: "AWS::RDS::DBInstance"
Properties:
EnableIAMDatabaseAuthentication: true # Enable IAM auth for better security control
Engine: "mysql"
AnotherSecureDB:
Type: "AWS::RDS::DBInstance"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.