Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · RDS

RDS.12: IAM auth should be configured for RDS clusters

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub RDS.12 check?

RDS.12 checks whether IAM database authentication is enabled on an RDS DB cluster (AWS::RDS::DBCluster — Aurora MySQL, Aurora PostgreSQL, and Multi-AZ DB clusters). It is change-triggered and reports FAILED for any cluster without the feature turned on. It is the cluster counterpart to RDS.10's instance check.

Why does RDS.12 matter?

A cluster relying solely on database passwords carries long-lived static secrets that must be created, rotated, distributed, and revoked by hand — and that leak into config files, environment variables, and CI logs, rarely getting rotated on schedule. IAM authentication replaces the standing password with a token that AWS issues fresh, expires in 15 minutes, and is governed by the same IAM policies as the rest of your AWS access. It maps to several NIST 800-53 access-management requirements.

How do I fix RDS.12?

  1. Enable it on the cluster with modify-db-cluster --enable-iam-database-authentication (non-disruptive; password connections keep working).
  2. Create DB users granted the engine auth role (rds_iam for PostgreSQL, AWSAuthenticationPlugin for MySQL).
  3. Grant rds-db:connect on the cluster's dbuser ARN to each workload's IAM role and switch clients to token-based connections.
  4. Retire static passwords to break-glass only once traffic has migrated.

Remediation script · bash

# Move the highest-impact databases onto IAM authentication first (free, no reboot).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?IAMDatabaseAuthenticationEnabled==`false`].DBInstanceIdentifier' \
    --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --enable-iam-database-authentication --apply-immediately
  echo "$db: IAM database authentication enabled"
done

# Find every instance still using a default admin username (immutable; needs migration).
aws rds describe-db-instances \
  --query "DBInstances[?contains(['admin','postgres','root','sa','master','mysql','dbadmin'], MasterUsername)].[DBInstanceIdentifier,MasterUsername]" \
  --output table

# Recreate one of those with a non-default master username set explicitly at creation.
aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier prod-orders-db-v2 \
  --snapshot-identifier prod-orders-db-pre-rename \
  --engine aurora-postgresql

Full walkthrough (console steps, edge cases and verification) in the lesson Harden database auth, ports and access.

Is RDS.12 a false positive?

Enabling the cluster flag clears RDS.12 but does nothing on its own — applications still reading a static password gain no protection until they are migrated to fetch IAM tokens per connection.

Full lesson Harden database auth, ports and access Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for RDS controls ↗ Check your own account for RDS.12 →
Part of the learning path Tighten your databases

More RDS controls

  • RDS.1 An RDS snapshot is shared publicly
  • RDS.2 An RDS instance is publicly accessible from the internet
  • RDS.3 RDS DB instances should be encrypted at rest
  • RDS.4 RDS snapshots should be encrypted at rest
  • RDS.5 RDS DB instances should use multiple AZs
  • RDS.6 RDS lacks enhanced monitoring
  • RDS.7 RDS clusters should have deletion protection
  • RDS.8 RDS DB instances should have deletion protection
  • RDS.9 RDS engine logs are not shipped to CloudWatch
  • RDS.10 RDS relies on long-lived database passwords
  • RDS.11 RDS instances should have automatic backups
  • RDS.13 RDS is not receiving automatic minor security patches