Define AWS IAM for native audit
Define the Identity and Access Management (IAM) policy for your Amazon Web Services (AWS) account, depending on the required permissions.
Minimum permissions
The minimum IAM permissions include viewing configuration and changing tags. They do not include enabling the DB audit, or restarting a DB. The following JSON example defines the minimum permissions, without which you cannot run cloud database service protection.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:DescribeDBParameters",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DownloadDBLogFilePortion",
"rds:DescribeDBLogFiles",
"rds:ListTagsForResource",
"rds:RemoveTagsFromResource",
"rds:AddTagsToResource",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Additional permissions
Full permission is enabled with these parameters.
- Enable, disable DB audit on instance
- When not configured, the Enable DB Auditing and Disable DB Auditing buttons are disabled. You
need to ask your DBA to enable or disable the DB instance on the AWS
console.
"rds:CopyDBParameterGroup", "rds:CreateDBParameterGroup", "rds:ModifyDBInstance", "rds:ModifyDBParameterGroup",
- Restart DB instance
- When not configured, Restart is disabled, and you need to request the DBA
to restart the DB instance on the AWS console.
"rds:RebootDBInstance",
- Handle security group when the supported platform is EC2
- When not configured, the DBA needs to add the Guardium® IP to
the security group. When configured, Guardium adds
its IP to the security group of the DB instance. If the Guardium
system cannot identify its own IP due to the network configuration, then the DBA needs to add the IP
on the AWS console.
"rds:ModifyDBInstance" "rds:AuthorizeDBSecurityGroupIngress", "rds:CreateDBSecurityGroup",
- Handle security group when the supported platform is VPC
- When not configured, the DBA needs to add the Guardium IP to
the security group. When configured, Guardium adds
its IP to the security group of the DB instance. If the Guardium
system cannot identify its own IP due to the network configuration, then the DBA needs to add the IP
on the AWS console.
"rds:ModifyDBInstance" "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup",
When configuring these parameters, Guardium creates an inbound rule in the RDS instance security group, with collector public IP CIDR mask = 24.