AWS IAM definition

Define your IAM policy for your AWS account, depending on the required permissions.

The minimum IAM permissions include viewing configuration and changing tags. They do not include enabling the DB audit, or restarting a DB. This JSON defines the minimum permissions, without which you cannot run cloud database service protection. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBParameters",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DownloadDBLogFilePortion",
                "rds:DescribeDBLogFiles",
                "rds:ListTagsForResource",
                "rds:RemoveTagsFromResource",
                "rds:AddTagsToResource",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
Full permission is enabled with these parameters.
Enable, disable DB audit on instance
When not configured, the Enable DB Auditing and Disable DB Auditing buttons are grayed out, and you need to request the DBA to enable or disable the DB instance on the AWS console.
"rds:CopyDBParameterGroup",
"rds:CreateDBParameterGroup",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
Restart DB instance
When not configured, the Restart buttons is grayed out, and you need to request the DBA to restart the DB instance on the AWS console.
"rds:RebootDBInstance",
Handle security group when the supported platform is EC2
When not configured, the DBA needs to add the Guardium IP to the security group. When configured, Guardium adds its IP to the security group of the DB instance. If the Guardium system cannot identify its own IP due to the network configuration, then the DBA needs to add the IP on the AWS console. 
 "rds:ModifyDBInstance"
"rds:AuthorizeDBSecurityGroupIngress",
"rds:CreateDBSecurityGroup",
Handle security group when the supported platform is VPC
When not configured, the DBA needs to add the Guardium IP to the security group. When configured, Guardium adds its IP to the security group of the DB instance. If the Guardium system cannot identify its own IP due to the network configuration, then the DBA needs to add the IP on the AWS console. 
 "rds:ModifyDBInstance"
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",

When configuring these parameters, Guardium creates an inbound rule in the RDS instance security group, with collector public IP CIDR mask = 24.

Parent topic: Cloud database service protection