Before you start

Perform these steps before you start auditing events in Db2 Warehouse SaaS.

About this task

Note: We highly recommend rotating your credentials on a monthly basis to enhance security and reduce the risk of unauthorized access. For more information, see Rotating security credentials in Db2 Warehouse SaaS.

Before initial configuration, you must collect the following information:

Procedure

  1. AWS S3 and IBM Cloud Object Storage

    Cloud Object Storage credentials:

    • IBM Cloud Object Storage

      
      cos_hmac_keys:
      access_key_id:      7exampledonotusea6440da12685eee02
      secret_access_key:  8not8ed850cddbece407exampledonotuse43r2d2586
                  
    • AWS Simple Storage Service (S3)

      
      access key ID: AKIAIOSFODNN7EXAMPLE
      secret access key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
                  

    Cloud Object Storage bucket name:

    You must create a bucket that will store the audit records. Save the bucket name during initial configuration.

    We recommend not using this bucket for other purposes. Configure encryption, access management, and data retention.

    Set a quota using this guide and an expiration rule using this guide.

  2. Azure Blob Storage

    As part of your dataplane provisioning, a dedicated resource group has been created for audit logging:

    Resource Group:

    rg-ibmbyoc-<short-dataplane-id>-audit

    A storage account has also been provided for your convenience:

    Storage Account:

    stibmbyoc<short-dataplane-id>audit

    Create a Blob Storage container within this account to receive audit logs:

    Option A: Use Azure Portal

    Follow this guide.

    Option B: Use Azure CLI

    
    az login --tenant <your_tenant>
    
    az storage container create \
      --name <your container name> \
      --account-name stibmbyoc<short-dataplane-id>audit \
      --public-access off \
      --auth-mode login
            

    Successful response:

    
    {
      "created": true
    }
            
    Note: You must have the Storage Account's Storage Blob Data Contributor role associated with your User ID.

    Important Notes:

    • Warning:

      Blob Storage containers should not be deleted until Db2 Audit Facility has been disabled (no more active policies on database objects). Sending logs to an invalid container can cause system disruptions.

    • Audit events for the <short-dataplane-id> dataplane can only be sent to Blob Storage containers within the resource group: rg-ibmbyoc-<short-dataplane-id>-audit
    • Multiple Db2 engines can share the same storage account.
    • It is recommended to create a separate container for each engine to keep logs organized.