Decide Whether to Use RDS IAM Authentication

Problem

Multiple ways exist to authenticate with the database. Static credentials grow stale and are too easily hardcoded in places making rotation difficult and seldom performed. Generally, short-lived credentials to access only the resources you need to do your job (granting least privilege) is preferred.

Context

RDS supports IAM authentication, which means IAM credentials are used to obtain short-lived credentials to access the RDS database. Leveraging RDS IAM Authentication in applications requires application changes to leverage the AWS SDK (Java Example).

caution

RDS IAM authentication is not recommended for applications due to a maximum of 200 new connections per second, and therefore only advisable for use with human operators.

For applications, the AWS recommended method is using AWS Secrets Manager (as opposed to RDS IAM Authentication) which also has the built-in capability to rotate credentials.

Despite these best practices, we primarily provision static credentials randomly generated by terraform using the database provider and then write them to SSM and encrypt with KMS. See Use SSM over ASM for Infrastructure for more context.

Consequences

If we choose to enable RDS IAM Authentication, it’s just a simple feature flag in our rds component. This is an easily reversible decision that can be disabled.

References

• https://www.ibexlabs.com/iam-database-authentication-for-amazon-rds-in-mysql/

• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.Java.html

• Use SSM over ASM for Infrastructure