Posted On: Apr 24, 2017
Starting today, HAQM RDS enables you to use AWS Identity and Access Management (IAM) to manage database access for HAQM RDS for MySQL DB instances and HAQM Aurora DB clusters. Database administrators can now associate database users with IAM users and roles. By using IAM, you can manage user access to all AWS resources from a single location, avoiding issues caused by permissions that are out of sync on different AWS resources.
You can choose to use IAM for database user authentication by simply selecting a checkbox during the DB instance creation process. Existing DB instances can also be modified to enable IAM authentication. Once enabled, database administrators associate new and existing database users to IAM users and roles. After that, credentials can be managed via IAM, without needing to manage users in the database. This includes expanding and restricting permission levels, associating permissions with different roles, and revoking access. IAM authentication also allows easier and safer integration with your applications running on EC2.
After configuring the database for IAM authentication, client applications authenticate to the database engine by providing temporary security credentials generated by the IAM Security Token Service. These credentials are used instead of providing a password to the database engine.
Database IAM authentication is available for HAQM RDS database instances running MySQL versions 5.6.34 and 5.7.16 (and higher) and all instance types except db.t1.micro and db.m1.small. It is available for HAQM Aurora instances version 1.10 (and higher) in all AWS regions where HAQM Aurora is available.
To learn more about enabling IAM authentication for your database instance, please refer to the HAQM RDS documentation. To learn more about IAM, refer to the AWS Identity and Access Management page.