Define AWS IAM for native audit

Define the Identity and Access Management (IAM) policy for your Amazon Web Services (AWS) account, depending on the required permissions.

Minimum permissions

The minimum IAM permissions include viewing configuration and changing tags. They do not include enabling the DB audit, or restarting a DB. The following JSON example defines the minimum permissions, without which you cannot run cloud database service protection.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBParameters",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DownloadDBLogFilePortion",
                "rds:DescribeDBLogFiles",
                "rds:ListTagsForResource",
                "rds:RemoveTagsFromResource",
                "rds:AddTagsToResource",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Additional permissions

Full permission is enabled with these parameters.

Enable, disable DB audit on instance
When not configured, the Enable DB Auditing and Disable DB Auditing buttons are disabled. You need to ask your DBA to enable or disable the DB instance on the AWS console.
"rds:CopyDBParameterGroup",
"rds:CreateDBParameterGroup",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
Restart DB instance
When not configured, Restart is disabled, and you need to request the DBA to restart the DB instance on the AWS console.
"rds:RebootDBInstance",
Handle security group when the supported platform is EC2
When not configured, the DBA needs to add the Guardium® IP to the security group. When configured, Guardium adds its IP to the security group of the DB instance. If the Guardium system cannot identify its own IP due to the network configuration, then the DBA needs to add the IP on the AWS console.
 "rds:ModifyDBInstance"
"rds:AuthorizeDBSecurityGroupIngress",
"rds:CreateDBSecurityGroup",
Handle security group when the supported platform is VPC
When not configured, the DBA needs to add the Guardium IP to the security group. When configured, Guardium adds its IP to the security group of the DB instance. If the Guardium system cannot identify its own IP due to the network configuration, then the DBA needs to add the IP on the AWS console.
 "rds:ModifyDBInstance"
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",

When configuring these parameters, Guardium creates an inbound rule in the RDS instance security group, with collector public IP CIDR mask = 24.