IAM

MFA

Enable MFA on AWS

1. You required a virtual multi-factor authentication (MFA) on your phone. eg. Google Authenticator
2. Login to AWS
3. Select you username → My Security Credentials.
4. Under Muti-factor authentication (MFA), click Assign MFA device.
5. Choose Virtual MFA device → Continue.
6. Click Show QR code. Use the app to scan the QR code. The app starts generating six-digit numbers. Enter the first six-digit number displayed on app into the MFA code 1. Wait for a while for new number and put it as MFA code 2. Click Assign MFA.
7. User require to attach policy to manage MFA.

Remove MFA

MFA need to be deactivate first before remove.

aws iam deactivate-mfa-device --user-name <username> --serial-number arn:aws:iam::<account-id>:mfa/<username>
aws iam delete-virtual-mfa-device --serial-number arn:aws:iam::<account-id>:mfa/<username>

IAM Database Authentication for MySQL

User connect to Amazon RDS using IAM role.

Activate IAM DB authentication

Enable IAM database authentication by using the Amazon RDS console.

Create a database user account that uses an AWS authentication token

Connect to the DB instance or cluster endpoint by with master credential. Run command to create user:

CREATE USER {dbusername} IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';

By default, the database user is created with no privileges. To require a user account to connect using SSL and other privileges, run command:

ALTER USER {dbusername} REQUIRE SSL;
GRANT SELECT, INSERT, UPDATE, DELETE, ALTER ON *.* TO '{dbusername}'@'%';

Add an IAM policy

Enter a policy that allows the rds-db:connect action to the required user.

{
    "Version": "2012-10-17",
    "Statement": [
       {
          "Effect": "Allow",
          "Action": [
              "rds-db:connect"
          ],
          "Resource": [
              "arn:aws:rds-db:ap-southeast-1:111111111111:dbuser:cluster-XXXXXXXXXXXX/*"
          ]
       }
    ]
}

Connect to the RDS DB using IAM role credentials

Download SSL Certificates

Download the AWS RDS Certificate pem file.

wget https://truststore.pki.rds.amazonaws.com/ap-southeast-1/ap-southeast-1-bundle.pem

Generate authentication token and connect to DB

You have to generate authentication token first to use to connect to DB. The Authentication tokens have a lifespan of 15 minutes.

RDSHOST="myrds.ap-southeast-1.rds.amazonaws.com"
DBUSERNAME={dbusername}
TOKEN="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --region ap-southeast-1 --username $DBUSERNAME)"
mysql --host=$RDSHOST --port=3306 --ssl-ca=/fullpathtopem/ap-southeast-1-bundle.pem --ssl-mode=VERIFY_CA --enable-cleartext-plugin --user=$DBUSERNAME --password=$TOKEN

Note

1. It has tested with mysql cli successfully. For othe mysql client, please read their documentation.
2. The username do not have to be same as AWS account.
3. User still can login using traditional username/password. However another new user need create for login using IAM authentication.
4. User has to login using RDS given endpoint. Alternative DNS name do not work.
5. The Authentication tokens have a lifespan of 15 minutes.
6. In general, consider using IAM database authentication when your applications create fewer than 200 connections per second, and you don't want to manage usernames and passwords directly in your application code.

References

• AWS Docs - IAM database authentication for MariaDB, MySQL, and PostgreSQL
• AWS re:Post - Amazon RDS with IAM credentialss
• miztiik - IAM Database Authentication for MySQL