Terraform Missing Iam Authentication
Description
Detects AWS RDS database instances configured without IAM authentication in Terraform code. When IAM authentication is not enabled, the database relies solely on password authentication, which could pose security risks by not leveraging AWS's identity-based access controls.
Detection Strategy
• Check for Terraform resource blocks that define AWS RDS instances (aws_db_instance)
• Verify if the IAM database authentication setting is present and enabled
• Report a vulnerability if an RDS instance is configured without IAM authentication enabled
Vulnerable code example
resource "aws_db_instance" "vulnerable_db" {
allocated_storage = 20
engine = "mysql"
instance_class = "db.t2.micro"
username = "admin"
password = "password123" # Sensitive: Hardcoded database credentials
iam_database_authentication_enabled = false # Vulnerable: IAM auth disabled, relies only on password✅ Secure code example
resource "aws_db_instance" "secure_db" {
allocated_storage = 20
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
username = var.db_username # Store credentials in variables, not hardcoded
password = var.db_password # Use secret manager or variables for passwords
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.