MySQL provides the validate_password
plugin for improved security. The plugin
enforces password policies using parameters in the DB parameter group for your MySQL DB
instance. The plugin is supported for DB instances running MySQL version 5.7, 8.0, and 8.4.
For more information about the validate_password
plugin, see The Password
Validation Plugin
To enable the validate_password
plugin for a MySQL DB instance
-
Connect to your MySQL DB instance and run the following command.
INSTALL PLUGIN validate_password SONAME 'validate_password.so';
-
Configure the parameters for the plugin in the DB parameter group used by the DB instance.
For more information about the parameters, see Password Validation Plugin Options and Variables
in the MySQL documentation. For more information about modifying DB instance parameters, see Modifying parameters in a DB parameter group in Amazon RDS.
-
Restart the DB instance.
After enabling the validate_password
plugin, reset existing passwords to
comply with your new validation policies.
Amazon RDS doesn't validate passwords. The MySQL DB instance performs password validation. If
you set a user password with the AWS Management Console, the modify-db-instance
AWS CLI
command, or the ModifyDBInstance
RDS API operation, the change can succeed even
if the new password doesn't satisfy your password policies. However, a new password is set
in the MySQL DB instance only if it satisfies the password policies. In this case, Amazon RDS
records the following event.
"RDS-EVENT-0067" - An attempt to reset the master password for the DB instance has failed.
For more information about Amazon RDS events, see Working with Amazon RDS event notification.