Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · RDS

RDS.10: RDS relies on long-lived database passwords

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub RDS.10 check?

RDS.10 checks whether IAM database authentication is configured on an RDS DB instance (the AWS::RDS::DBInstance resource, not Aurora clusters). It reports FAILED when IAMDatabaseAuthenticationEnabled is false.

Why does RDS.10 matter?

Without IAM auth the database relies on a static password that stays valid for months and gets copied into config files, CI logs, config maps, and developer laptops. Every copy is a live credential until someone rotates it. IAM authentication replaces that with a SigV4-signed token valid for just 15 minutes and tied to an IAM role — remove the role and access is gone instantly, collapsing the blast radius of a leaked credential from weeks to minutes.

How do I fix RDS.10?

  1. Enable IAM auth in place with modify-db-instance --enable-iam-database-authentication — it is non-disruptive and existing password connections keep working.
  2. Create per-application DB users and grant the engine auth role: GRANT rds_iam (PostgreSQL) or IDENTIFIED WITH AWSAuthenticationPlugin (MySQL).
  3. Attach an IAM policy granting rds-db:connect on the dbuser ARN (which uses the instance's DbiResourceId) to each workload's role, then switch clients to fetch tokens.
  4. Once token-based traffic is steady, retire the static passwords to break-glass only.

Remediation script · bash

# Move the highest-impact databases onto IAM authentication first (free, no reboot).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?IAMDatabaseAuthenticationEnabled==`false`].DBInstanceIdentifier' \
    --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --enable-iam-database-authentication --apply-immediately
  echo "$db: IAM database authentication enabled"
done

# Find every instance still using a default admin username (immutable; needs migration).
aws rds describe-db-instances \
  --query "DBInstances[?contains(['admin','postgres','root','sa','master','mysql','dbadmin'], MasterUsername)].[DBInstanceIdentifier,MasterUsername]" \
  --output table

# Recreate one of those with a non-default master username set explicitly at creation.
aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier prod-orders-db-v2 \
  --snapshot-identifier prod-orders-db-pre-rename \
  --engine aurora-postgresql

Full walkthrough (console steps, edge cases and verification) in the lesson Harden database auth, ports and access.

Is RDS.10 a false positive?

Flipping the flag clears RDS.10 but achieves nothing on its own — applications still reading a static password from Secrets Manager have gained no protection until they are migrated to token-based connections.

Full lesson Harden database auth, ports and access Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for RDS controls ↗ Check your own account for RDS.10 →
Part of the learning path Tighten your databases

More RDS controls

  • RDS.1 An RDS snapshot is shared publicly
  • RDS.2 An RDS instance is publicly accessible from the internet
  • RDS.3 RDS DB instances should be encrypted at rest
  • RDS.4 RDS snapshots should be encrypted at rest
  • RDS.5 RDS DB instances should use multiple AZs
  • RDS.6 RDS lacks enhanced monitoring
  • RDS.7 RDS clusters should have deletion protection
  • RDS.8 RDS DB instances should have deletion protection
  • RDS.9 RDS engine logs are not shipped to CloudWatch
  • RDS.11 RDS instances should have automatic backups
  • RDS.12 IAM auth should be configured for RDS clusters
  • RDS.13 RDS is not receiving automatic minor security patches