terraform.aws.best-practice.aws-rds-iam-authentication-not-enabled.aws-rds-iam-authentication-not-enabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

The AWS RDS is not configured to use IAM authentication. Consider using IAM for authentication.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-rds-iam-authentication-not-enabled
    patterns:
      - pattern: |
          resource "aws_db_instance" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_db_instance" $ANYTHING {
            ...
            iam_database_authentication_enabled = true
            ...
          }
    message: The AWS RDS is not configured to use IAM authentication. Consider using
      IAM for authentication.
    languages:
      - hcl
    severity: WARNING
    metadata:
      category: best-practice
      technology:
        - terraform
        - aws
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

aws-rds-iam-authentication-not-enabled.tf

# pass

resource "aws_db_instance" "enabled_mysql" {
  allocated_storage = 5
  engine            = "postgres"
  instance_class    = "db.t3.small"
  password          = "password"
  username          = "username"

  iam_database_authentication_enabled = true
}

resource "aws_db_instance" "enabled_postgres" {
  allocated_storage = 5
  engine            = "postgres"
  instance_class    = "db.t3.small"
  password          = "password"
  username          = "username"

  iam_database_authentication_enabled = true
}

# failure
# ruleid: aws-rds-iam-authentication-not-enabled
resource "aws_db_instance" "default_mysql" {
  allocated_storage = 5
  engine            = "mysql"
  instance_class    = "db.t3.small"
  password          = "password"
  username          = "username"
}
# ruleid: aws-rds-iam-authentication-not-enabled
resource "aws_db_instance" "default_postgres" {
  allocated_storage = 5
  engine            = "postgres"
  instance_class    = "db.t3.small"
  password          = "password"
  username          = "username"
}
# ruleid: aws-rds-iam-authentication-not-enabled
resource "aws_db_instance" "disabled_mysql" {
  allocated_storage = 5
  engine            = "postgres"
  instance_class    = "db.t3.small"
  password          = "password"
  username          = "username"

  iam_database_authentication_enabled = false
}
# ruleid: aws-rds-iam-authentication-not-enabled
resource "aws_db_instance" "disabled_postgres" {
  allocated_storage = 5
  engine            = "postgres"
  instance_class    = "db.t3.small"
  password          = "password"
  username          = "username"

  iam_database_authentication_enabled = false
}

# unknown

# ruleid: aws-rds-iam-authentication-not-enabled
resource "aws_db_instance" "mariadb" {
  allocated_storage = 5
  engine            = "mariadb"
  instance_class    = "db.t3.small"
  password          = "password"
  username          = "username"
}