Authenticating with Amazon RDS: A Guide to Password, IAM, and Kerberos Authentication

Amazon Relational Database Service (RDS) offers multiple authentication methods to secure access to your database instances.

Choosing the appropriate method depends on your security requirements, infrastructure, and management preferences.

In this article, we’ll explore these authentication methods in detail, using the official AWS RDS documentation as a reference.

1. Password Authentication

Overview

Password authentication is the most common and straightforward method for accessing an RDS instance. It involves using a username and password to authenticate with the database. This method is supported by all RDS database engines, including MySQL, PostgreSQL, Oracle, SQL Server, and MariaDB.

How It Works

1. During the creation of an RDS instance, you specify a master username and password.
2. Applications or users connect to the database using the provided credentials.
3. The RDS instance verifies the credentials and grants access if they are valid.

Advantages

• Simplicity: Easy to set up and use.
• Wide Compatibility: Supported by all database engines and most database clients.
• Familiarity: Most developers and DBAs are already familiar with password-based authentication.

Steps to Configure

Set the Master Password:

When creating an RDS instance, specify a master username and password in the AWS Management Console, CLI, or SDK.

Example using AWS CLI:

aws rds create-db-instance –db-instance-identifier mydbinstance –db-instance-class db.t3.micro –engine mysql –master-username admin –master-user-password mypassword

Connect to the Database:

Use a database client or application to connect using the master username and password.

Example for MySQL:

mysql -h mydbinstance.123456789012.us-east-1.rds.amazonaws.com -u admin -p

Rotate Passwords Regularly:

For security, periodically rotate passwords using the AWS Management Console or CLI.

2. IAM Database Authentication

Overview

IAM database authentication allows you to authenticate to your RDS instance using AWS Identity and Access Management (IAM) credentials. This method is available for MySQL and PostgreSQL RDS instances and eliminates the need for password management.

How It Works

1. IAM users or roles are granted permission to connect to the RDS instance.
2. Applications or users generate an authentication token using their IAM credentials.
3. The authentication token is used to connect to the RDS instance.

Advantages

• Enhanced Security: No need to store or manage database passwords.
• IAM Integration: Leverages IAM policies for fine-grained access control.
• Temporary Credentials: Authentication tokens are valid for 15 minutes, reducing the risk of credential exposure.

Steps to Configure

Enable IAM Database Authentication:

Enable IAM authentication when creating or modifying the RDS instance.

aws rds modify-db-instance –db-instance-identifier mydbinstance –enable-iam-database-authentication

Create an IAM Policy:

Create an IAM policy that allows the rds-db:connect action.

Example policy:

{

  “Version”: “2012-10-17”,

  “Statement”: [

    {

      “Effect”: “Allow”,

      “Action”: “rds-db:connect”,

      “Resource”: “arn:aws:rds-db:us-east-1:123456789012:dbuser:db-ABCDEFGHIJKL12345/myuser”

    }

  ]

}

Create a Database User:

Create a database user mapped to an IAM role or user.

Example for PostgreSQL:

CREATE USER myuser WITH LOGIN;

GRANT rds_iam TO myuser;

Generate an Authentication Token:

Use the AWS CLI to generate an authentication token.

aws rds generate-db-auth-token –hostname mydbinstance.123456789012.us-east-1.rds.amazonaws.com –port 5432 –username myuser

Connect to the Database:

Use the authentication token to connect to the database.

Example for PostgreSQL:

psql “host=mydbinstance.123456789012.us-east-1.rds.amazonaws.com port=5432 sslmode=prefer user=myuser dbname=mydb password=<auth-token>”

3. Kerberos Authentication

Overview

Kerberos authentication provides a secure, ticket-based authentication mechanism for RDS instances. It is supported for Microsoft SQL Server and PostgreSQL databases. Kerberos integrates with Microsoft Active Directory (AD) to provide centralized authentication and single sign-on (SSO) capabilities.

How It Works

1. The RDS instance is integrated with an Active Directory domain.
2. Users authenticate with the domain controller and receive a Kerberos ticket.
3. The ticket is presented to the RDS instance for authentication.

Advantages

• Centralized Authentication: Integrates with Active Directory for enterprise-grade authentication.
• Single Sign-On (SSO): Users can access multiple services with a single login.
• Strong Security: Kerberos is a robust and widely-used authentication protocol.

Steps to Configure

Set Up an AWS Directory Service:

Create an AWS Managed Microsoft AD directory using AWS Directory Service.

Example using AWS CLI:

aws ds create-microsoft-ad –name example.com –password MyPassword123 –edition Standard –vpc-settings VpcId=vpc-12345678,SubnetIds=subnet-12345678,subnet-87654321

Enable Kerberos Authentication:

Modify the RDS instance to enable Kerberos authentication.

Example using AWS CLI:

aws rds modify-db-instance –db-instance-identifier mydbinstance –domain mydomain.com –domain-iam-role-name my-iam-role

Create a Database User:

Create a database user mapped to an Active Directory user or group.

Example for SQL Server:

CREATE LOGIN [mydomain\myuser] FROM WINDOWS;

Authenticate and Connect:

Users authenticate with Active Directory and use their Kerberos ticket to connect to the RDS instance.

Example for SQL Server:

sqlcmd -S mydbinstance.123456789012.us-east-1.rds.amazonaws.com -U mydomain\myuser

Selecting the appropriate authentication method depends on various factors, including existing infrastructure, security requirements, and simplicity. If your organization already uses Active Directory, Kerberos authentication provides seamless integration and centralized credential management. For enhanced security and centralized access control, IAM database authentication is a strong choice, as it eliminates the need for static passwords by using temporary authentication tokens. On the other hand, password authentication is the simplest option, making it suitable for smaller environments or applications where managing IAM roles or Active Directory isn’t feasible. Ultimately, assessing your organization’s specific needs, existing systems, and security policies is crucial in determining the most suitable authentication method for your Amazon RDS instances.

Conclusion

Amazon RDS provides multiple authentication methods to suit different use cases and security requirements. Password authentication is simple and widely supported, IAM database authentication offers enhanced security and IAM integration, and Kerberos authentication provides enterprise-grade centralized authentication. By understanding these methods, you can choose the best approach for your application and ensure secure access to your RDS instances.