Connecting IBM Guardium DSPM with Amazon Web Services cloud accounts
You can connect a single Amazon Web Services (AWS) account or multiple AWS accounts with IBM Guardium DSPM by using a CloudFormation Stack or a CloudFormation StackSet to discover sensitive data in the cloud accounts. When you provision Guardium DSPM to your cloud environment, the process auto creates three roles to facilitate the functioning of Guardium DSPM.
Before you begin
DSPM This content is available through the Guardium DSPM module.
Verify that you have the following before you start the process of connecting your Amazon Web Services (AWS) cloud accounts with Guardium DSPM:
- List of AWS account IDs to be connected to Guardium DSPM
- An admin AWS user to run the CloudFormation scripts
- A main cloud account for Guardium DSPM that has a subnet with outgoing access (0.0.0.0:443) to the internet
Procedure
Results
- Cross-Account Role
- Scans and monitors the metadata of the data assets that Guardium DSPM discovers. It is a read-only role with some create permissions mainly with Guardium DSPM resources that are used for categorization of data.
- Analyzer Role
- Reads the data inside your data stores, allowing the Guardium DSPM analyzer to classify what’s inside the data stores. Only a Guardium DSPM analyzer can access the data stores and the stored data in your cloud account. A t2.large instance type is used as the analyzer by Guardium DSPM.
- Log Ingestion Role
- Enables Guardium DSPM to process your data store logs.
For more information about the scope of permissions about these roles, see Roles and Permissions for Amazon Web Services accounts.
What to do next
After a successful connection of a cloud provider account, you can see the different regions that are associated with the account after expanding the account in the Cloud Accounts page. You can also see the number of discovered data stores in that region. Therefore, you can prioritize the installation of the Guardium DSPM analyzer in a region, as required, or you can also discover a rogue data store that you were not aware of.
To know how to install the Guardium DSPM analyzer in a region of your choice, see Installing the DSPM Analyzer in Relevant Regions.