For Amazon RDS for PostgreSQL, AWS provides IAM database authentication. With this feature, applications do not use stored long-term usernames and passwords. Instead, they use temporary authentication tokens that are generated by AWS and validated by the RDS database.
The AWS best practice pattern is:
Attach an IAM role to the EC2 instances (instance profile).
Grant that role the necessary permissions (for example, rds-db:connect) to the specific RDS database user.
The application running on the EC2 instance uses the role’s temporary credentials to call the RDS token-generation API and obtain a short-lived authentication token.
The application then uses this token as the password when connecting to RDS for PostgreSQL.
This removes the need to store long-term credentials in the application or on the instance and uses IAM roles with temporary credentials, aligning with the security requirement.
Option A still relies on stored credentials (even if in Secrets Manager), which are long-lived and rotated but not token-based per-connection IAM authentication.
Option B uses static passwords and IP-based access, which does not meet the “no long-term credentials” requirement.
Option C stores long-term IAM user keys on the instances, which is explicitly against best practices and does not directly integrate with RDS authentication.
