Manage access to your RDS for MySQL and Amazon Aurora databases using AWS IAM

Posted on: Apr 24, 2017

Starting today, Amazon RDS enables you to use AWS Identity and Access Management (IAM) to manage database access for Amazon RDS for MySQL DB instances and Amazon Aurora DB clusters. Database administrators can now associate database users with IAM users and roles. By using IAM, you can manage user access to all AWS resources from a single location, avoiding issues caused by permissions that are out of sync on different AWS resources.

You can choose to use IAM for database user authentication by simply selecting a checkbox during the DB instance creation process. Existing DB instances can also be modified to enable IAM authentication. Once enabled, database administrators associate new and existing database users to IAM users and roles. After that, credentials can be managed via IAM, without needing to manage users in the database. This includes expanding and restricting permission levels, associating permissions with different roles, and revoking access. IAM authentication also allows easier and safer integration with your applications running on EC2.

After configuring the database for IAM authentication, client applications authenticate to the database engine by providing temporary security credentials generated by the IAM Security Token Service. These credentials are used instead of providing a password to the database engine.

Database IAM authentication is available for Amazon RDS database instances running MySQL versions 5.6.34 and 5.7.16 (and higher) and all instance types except db.t1.micro and db.m1.small. It is available for Amazon Aurora instances version 1.10 (and higher) in all AWS regions where Amazon Aurora is available.

To learn more about enabling IAM authentication for your database instance, please refer to the Amazon RDS documentation. To learn more about IAM, refer to the AWS Identity and Access Management page.