IAM Database Authentication for Amazon RDS In MySQL
In a rapidly growing, decentralized web-based environment, sometimes with thousands of miles between the people you work with, having the ability to easily manage and control access to your work is increasingly becoming a priority. And sharing passwords online via Slack or email was never going to be a secure or easy option—or meet any IT security best practices. Which is why you need to optimise IAM database authentication.
Database security is crucial. Your database and its contents need to be protected 24 hours a day, 7 days a week. The last thing you want is malicious activity affecting your customer’s data or your productivity and infrastructure. All of which could lead to hefty financial losses. Customers are highly-demanding about the integrity of their data (rightly so), and loss of trust or data breaches can lead to a client deciding to move elsewhere.
Security Is Always a Priority
Your database could contain your customer’s transaction details, credit card information or sensitive personal health information (ePHI). No matter what, security in the AWS ecosystem is an absolute priority. Amazon AWS takes every precaution on its infrastructure side to ensure the safety of your sensitive information.
As part of the AWS Shared Responsibility Model, it’s up to you to be responsible and implement every possible level of security on the customer side. There are several tools available for you to shore up your database security such as AWS Shield for DDOS protection, or AWS WAF to stop SQL injection/OWASPattacks. But today we’re focusing on IAM database authentication and what it can do for you.
IAM database authentication is the most secure way of connecting and is the central unit of authentication and access management on AWS. It’s a critical best practice tool to securely, yet flexibly, manage who from your organization is authenticated and who has permission to your RDS resources.
Control, Control, Control
With IAM being integrated into RDS, you have full control over what your users and group are able to access and allow them to take on specific resources which can be tagged, this grants your users and groups to take on resources with the same tag and tag value. Let’s look at some practices and what benefits we obtain.
Benefits and Best Practices
Keep in mind not to follow best practice and use your AWS root user credentials when accessing AWS. Treat it like a credit card or any other sensitive information and lock it away. Rather create an IAM user for yourself that has administrative permissions, and use that for all your work with AWS.
So, you’ve created an IAM user. Now you can give them a unique set of keys to your RDS, and if need be, change or even revoke their permissions at any time. But individually managing the permissions of each user is going to be a huge time sink.
Which is where groups come in. With groups, you can assign various permissions to your users, such as administrators only being associated with whatever permissions you deem necessary. We recommend that during this process you follow the idea of granting least privilege—another AWS best practice— to determine what permissions a user (or group) needs to fulfil their task. Then craft security policies around that. This allows you to then create additional policies as the need arises.
We would also recommend an added layer of protection by utilising multifactor authentication. This can be done via either hardware or virtual devices or tools such as AWS CloudTrail. Any steps taken to improve your security are never wasted steps. This method IAM database authentication for Amazon RDS in MySQL via authentication tokens will certainly boost your security.
IAM Database Authentication for Amazon RDS In MySQL
The ability to control organizational users, groups, and roles in IAM isn’t the tool’s only great feature. You can also use IAM database authentication to allow user access to your RDS DB instance in MySQL over less secure native authentication methods. This way you don’t need an unsecure password when connecting to a DB instance. Instead, you can use IAM user or role credentials and an authentication token.
An authentication token is generated on request with AWS Signature Version 4 and can be hundreds of characters long. It is good practice to capture it in a variable using the following AWS CLI command that can be used when making a connection.
TOKEN =
“$(aws rds generate-db-auth-token –hostname $AURORAEP –port 3306 –username $IAMUSER –region=$REGION)”
These tokens are hugely beneficial for increasing your DBS security access:
- No need to store database user credentials, tokens are generated with your AWS access keys
- Each one has a lifespan of 15 minutes
- MySQL does not recheck connections and will not drop you when the token expires
- All data sent to and from your RDS DB instance is encrypted with SSL
With all this control and security at your fingertips, let’s look at the prerequisites and limitations for what you need to allow users to connect to your RDS DB instance using IAM credentials in MySQL:
The limitations of this practice are minor, but they include:
- A maximum of 200 new connections per second
- In the case of a db.t2.micro DB instance class, this is 10 connections per second
Connect To Amazon RDS In MySQL With IAM Credentials
Follow the steps below.
Prerequisites:
- EC2 Instance
- Have AWS CLI installed
- MySQL RDS Instance support for:
- MySQL Version 5.6.34 or higher
- MySQL 5.7.16 or higher
- MySQL 8.0.16
- Make sure IAM DB authentication is enabled
- By default, IAM Database Authentication is disabled on DB instances. Enable it using the Amazon RDS console, AWS CLI or the Amazon RDS API. Refer to the AWS docs here on how to resolve this. This will apply without a reboot.
- EC2 and RDS should be able to communicate with each other at RDS port (specify port 3306 )
- IAM RoleName: ec2-to-rds: An EC2 Role.
- Permissions: Managed Policies AmazonRDS (give required permissions as per your access needs)
- An inline policy with certain permissions as described below
- Prepare EC2 Instance:
- Please install the following packages and commands
yum install curl mysql -y
Setup Your Database To Use IAM
Now you can create a database user account that uses an AWS authentication token:
1 # Connect to DB
2 RDS_HOST=”db-with-iam-support.ct5b4uz1gops.eu-central-1.rds.amazonaws.com”
3 REGION=”eu-central-1″
4 # mysql -h {database or cluster endpoint} -P {port number database is listening on}
-u {master db username} -p
5 mysql -h ${RDS_HOST} -P 3306 -u dbuser -p
This command will create a database user account that uses an AWS authentication token instead of a password:
1 CREATE USER ‘db_iam_user’ IDENTIFIED WITH AWSAuthenticationPlugin as ‘RDS’;
You may also run this command to require the user to connect to the database using SSL. Learn more here.
1 GRANT USAGE ON *.* TO ‘db_iam_user’@’%’REQUIRE SSL;
GRANT ALL PRIVILEGES ON database_name1.* TO ‘username’@’%’;
GRANT ALL PRIVILEGES ON database_name2.* TO ‘username’@’%’; For multiple database access to the user.
To flush privileges, run “exit” to close MYSQL.
IAM Inline Policy
Set up an inline policy to allow the DB access to the user. Then change the DB ARN accordingly and add the policy to the IAM role or user.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“rds-db:connect”
],
“Resource”: [
“arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name”
]
}
]
}
To Add Multiple Users
Resource”: [
“arn:aws:rds-db:us-east-2:123456789012:dbuser:db-ABCDEFGHIJKL01234/jane_doe”,
“arn:aws:rds-db:us-east-2:123456789012:dbuser:db-ABCDEFGHIJKL01234/mary_roe”
]
To Download SSL Certificates
1 mkdir -p /var/mysql-certs/
2 cd /var/mysql-certs/
3 curl -O https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
To Connect to the Database
Run the following:
1 mysql –host=”${RDS_HOST}”
2 –port=3306
3 –user=db_iam_user
4 –ssl-ca=/var/mysql-certs/rds-combined-ca-bundle.pem
5 –ssl-verify-server-cert
6 –password=”$TOKEN”
For IAM Users
To create IAM User Permissions: Go to Managed Policies on your AmazonRDS and give the required permissions as per your organizational access needs. Add an inline policy to the user (as mentioned above and configure IAM user credentials in the instance. With these credentials, IAM users can access the RDS with the token.
Download SSL Certificates (as mentioned above)
Connect to Database (as mentioned above)
Preferring an IAM Role Over an IAM User
To follow best practices for accessing private RDS instances (even If you are using an authentication security token), it’s important to leverage IAM roles or IAM user credentials with our RDS access policy. In IAM, users credentials (username, password, authentication method or secret key method, etc.,) are permanently attached to a named operator—’person or machine’—and can be viewed in “~/.aws/credentials”. With these keys, other users or malicious actors can misuse user creds. So, for security reasons we prefer IAM roles. If we use the IAM role that is attached to EC2 instance that role uses the AWS internal network. A role is a temporary authentication method and harder to misuse.
Compliance laws around database security and data protection are becoming ever more stringently regulated. There are regulations in force which demand particular standards from any company storing client data in online components. Users all over the world expect their privacy to be taken seriously and modern businesses need to stay ahead of the security curve to reflect this wish. If your company is storing customer data online, then database security is a serious priority. Take these steps with AWS to improve your compliance and security stance.
Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.