You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication using IAM users and roles. IAM database authentication works with MariaDB, MySQL, and PostgreSQL. Also works with Aurora MySQL, Aurora PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB cluster. Instead, you use an authentication token for greater security. Also, the network traffic to and from the database is encrypted using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

An authentication token is a unique string of characters that Amazon RDS generates on request. Each token has a lifetime of 15 minutes. The token is only used for authentication and doesn't affect the session after it is established.

Advantages:

1. Easy to manage to IAM roles, instead of managing access individually on each cluster

2. Applications on EC2 can leverage instance profile

3. Network traffic is encrypted

4. Easy to enable without downtime

Please visit my GitHub Repository for RDS articles on various topics being updated on constant basis.

Let’s get started!

I am going to divide this article into 2 parts

• 1st part - from Objectives 1. to 5.
• 2nd part - from Objectives 6. to 13. Connecting to RDS MySQL DB instance without a password, using IAM authentication - 2

Objectives:

1. Create EC2 Security Group - SSH-launch / launch-wizard-1

2. Create Security Group for RDS - RDS-SG

3. Create RDS MySQL database - database-1

4. Create EC2 instance - my-EC2

5. Enable IAM Authentication on RDS MYSQL database

6. Create a DB user rev account that uses an AWS authentication token

7. Create an IAM role that allows Amazon RDS access.R-iam-rds-role with AmazonRDSReadOnlyAccess policy

8. Create an IAM policy P-iam-rds-policy that maps the DB user to the IAM role

9. Attach the IAM role to the EC2 instance

10. Download the SSL root certificate file or certificate bundle file
download the root certificate that works for all Regions:

11. Generate an AWS authentication token to identify the IAM role

12. Connect to the RDS MySQL database using IAM role credentials and the authentication token and SSL certificates.

13. Status of the SSL connection.

Pre-requisites:

• AWS user account with admin access, not a root account.

Resources Used:

• How do I allow users to authenticate to an Amazon RDS for MySQL DB instance using their IAM credentials?

• IAM database authentication for MariaDB, MySQL, and PostgreSQL

• Connecting to your DB instance using IAM authentication

• Connecting to your DB instance using IAM authentication from the command line: AWS CLI and mysql client

• IAM Authentication with Amazon Aurora MySQL

Steps for implementation to this project:

1. Create EC2 Security Group - SSH-launch / launch-wizard-1

• inbound rules

• outbound rules

2. Create Security Group for RDS - RDS-SG

• attach EC2 Security group SSH-launch / launch-wizard-1
• inbound rules

• outbound rules

3. Create RDS MySQL database - database-1

Create RDS MySQL database taking the below mentioned parameters:

• use RDS-SG

• uncheck under Database authentication / Password and IAM database authentication

• take defaults
• Create database

• Wait for 4-5 minutes to complete

• Take note of the RDS endpoint

• database-1.cgizjtuyxkda.us-east-1.rds.amazonaws.com

4. Create EC2 instance - my-EC2

Create an EC2 instance taking the below mentioned parameters:

• take defaults

• Launch instance

• Take note of Public IPv4 DNS of your EC2 instance

• ec2-54-145-145-130.compute-1.amazonaws.com

5. Enable IAM Authentication on RDS MYSQL database

• IAM Authentication - Not enabled

• Modify / Under Database authentication/ check Password and IAM database authentication

• Continue / check Apply immediately

• Modify DB instance

• IAM Authentication - Enabled