Authenticating by using IAM Role for AWS database service

Edit online

About this task

12.1 and later Learn how to connect to AWS database services by using IAM role.

Procedure

  1. Log in to the Amazon AWS management console and make sure that you are connected to the relevant data center.
  2. Click Services. Then, from the Security, Identity, & Compliance menu, select IAM.
  3. From the menu, select Roles and then click Create role.
  4. Under Common use cases, select EC2. Click Next: Permissions, then click Next: Tags, and then click Next: Review.
  5. In the Role name field, enter the role name that you want to create. Example: to create role for Guardium_AWS__<databaseName> _Role
  6. Click Create role to create the Role ARN. Your Role ARN appears in the following format: arn:aws:iam::<AWS Account ID>:instance-profile/<Role name>.
  7. Click Attach policies and then click Create policy to create three policies to integrate your GuardiumĀ® system with AWS database services. You can use the visual editor or JSON to add your code.
    1. Create a policy to assume role.
      Example code:
      Database-assume-role-policy
		{
		    "Version": "2012-10-17",
		    "Statement": [
			{
			    "Sid": "VisualEditor0",
			    "Effect": "Allow",
			    "Action": "sts:AssumeRole",
			    "Resource": "arn:aws:iam::*:role/*"
			}
		    ]
		}
      Click Review policy and save the policy. The policy appears in the following format: arn:aws:iam::<AWS Account ID>:policy/<policy-name>
    2. Create a second policy with the minimum access permissions required to run VA tests for your AWS database services.
      Example code for DynamoDB: 
      DynamoDB-VA-policy
			{
			    "Sid": "VisualEditor0",
			    "Effect": "Allow",
			    "Action": [
                             "dynamodb:DescribeTable",
			        "dynamodb:GetResourcePolicy",
		        	"dynamodb:ListTables",
		        	"dynamodb:ListStreams",
		        	"dynamodb:CreateTable",
		        	"dynamodb:DeleteTable",
		        	"dynamodb:DescribeContinuousBackups",
		        	"cloudtrail:ListTrails",
		        	"cloudtrail:GetEventSelectors",
		        	"iam:ListEntitiesForPolicy"
                         ],
			    "Resource": "arn:aws:secretsmanager:*:01234567901:secret:*"
                     }
                  ]
                }

      Click Review policy and save the policy. The policy appears in the following format: arn:aws:iam::<AWS Account ID>:policy/<policy-name>

  8. Define the trust relationship for the secret user by accessing Services > Identity and Access Management (IAM) > Roles. Select the role, click Trust relationships, then click Edit trust relationship and enter the code to create a trust relationship. Example:
    Trust relationship
		{
		  "Version": "2012-10-17",
		  "Statement": [
		    {
		      "Effect": "Allow",
		      "Principal": {
			"AWS": [
			  "arn:aws:iam::01234567901:role/Test1_Guardium_AWS_Database ",		  
			  "arn:aws:iam::01234567901:user/nameofuser",						
			],
			"Service": "ec2.amazonaws.com"
		      },
		      "Action": "sts:AssumeRole"
		    }
		  ]
		}

    In the example, 01234567901 indicates the AWS count number and nameofuser is the username that is used to login to the AWS account.

    Include the lines arn:aws:iam::01234567901:role/Test1_Guardium_AWS_Database_Role in your code only when you use IAM instance profile and you want the roles to assume an alternate role.

    In the example, Test1_Guardium_AWS_Database is the rolename that is allowed to assume an alternate role Guardium_AWS_<databaseName>_Role.

    Review the code and click Update trust policy.

What to do next

Note the following information:

  • The access key ID and the secret access key for the secret user.
  • The role ARN that is created in step 6.
This information is used to configure the AWS Secrets Manager on your Guardium system.