Connecting IBM Guardium DSPM with Amazon Web Services cloud accounts

You can connect a single Amazon Web Services (AWS) account or multiple AWS accounts with IBM Guardium DSPM by using a CloudFormation Stack or a CloudFormation StackSet to discover sensitive data in the cloud accounts. When you provision Guardium DSPM to your cloud environment, the process auto creates three roles to facilitate the functioning of Guardium DSPM.

Before you begin

DSPM This content is available through the Guardium DSPM module.

Verify that you have the following before you start the process of connecting your Amazon Web Services (AWS) cloud accounts with Guardium DSPM:

  • List of AWS account IDs to be connected to Guardium DSPM
  • An admin AWS user to run the CloudFormation scripts
  • A main cloud account for Guardium DSPM that has a subnet with outgoing access (0.0.0.0:443) to the internet

Procedure

  1. Ensure that at first you onboard the account that will act as the main account, the account where the Guardium DSPM analyzers will be installed.
    Note: You cannot change the main account after its connection to Guardium DSPM is completed.
  2. In the main menu, click Configurations>Connections>Cloud accounts.
  3. In the Cloud Accounts page, click New Cloud Account.
  4. In the Connect new cloud account dialog box, select Cloud providers, and then click Start.
  5. In the Add cloud account dialog box, select Amazon Web Services, and then click Next.
  6. In the Add account from dialog box, provide your account details (Account ID and Account name), and then click the plus icon icon.
    Note: If you want to add more than one account, repeat step 6 as many times as required.
  7. After you have added all the accounts, click Install Role for a cloud account.
    Note: Verify that you are logged in to the cloud account before you click Install Role for that account.

    After you click Install Role for an account, the status of Role Installation for the cloud account changes to running, and then to Completed or Failed.

  8. Approve the cloud formation in the AWS console that opens in a new tab, and then click Create Stack.
  9. (Optional) If you have added more than one account, repeat steps 7 and 8 as many times as you need.
  10. After you have attempted to install roles for all the cloud accounts you have added, click Next.
    You get either of the following overall status messages:
    • All Done, signifying that all the cloud accounts are connected successfully.
    • Almost Done, signifying that some of the cloud accounts are connected successfully, and to connect the rest of the cloud accounts, you can click Contact Us.
    • Something went wrong…, signifying that connection to the cloud accounts failed, and to connect the cloud accounts, you can click Contact Us.

Results

While you connect Guardium DSPM to an AWS cloud account, the following three roles are auto created:
Cross-Account Role
Scans and monitors the metadata of the data assets that Guardium DSPM discovers. It is a read-only role with some create permissions mainly with Guardium DSPM resources that are used for categorization of data.
Analyzer Role
Reads the data inside your data stores, allowing the Guardium DSPM analyzer to classify what’s inside the data stores. Only a Guardium DSPM analyzer can access the data stores and the stored data in your cloud account. A t2.large instance type is used as the analyzer by Guardium DSPM.
Log Ingestion Role
Enables Guardium DSPM to process your data store logs.

For more information about the scope of permissions about these roles, see Roles and Permissions for Amazon Web Services accounts.

What to do next

After a successful connection of a cloud provider account, you can see the different regions that are associated with the account after expanding the account in the Cloud Accounts page. You can also see the number of discovered data stores in that region. Therefore, you can prioritize the installation of the Guardium DSPM analyzer in a region, as required, or you can also discover a rogue data store that you were not aware of.

To know how to install the Guardium DSPM analyzer in a region of your choice, see Installing the DSPM Analyzer in Relevant Regions.