Create, modify, delete cloud accounts

Create a cloud database service account with your DB credentials, modify, or delete the cloud account.

Create cloud account

About this task

Prerequisite: Define the AWS IAM policy, see AWS IAM definition.

Tip: If you are managing a large number of databases in this account, consider defining a default classification process. This saves you defining the properties for each discovered database.


  1. Navigate to Discover > Database Discovery > Cloud DB Service Protection.
  2. Click plus sign to open the Create Cloud DB Service Account Definition pane.
  3. Define the account.
    • Unique account name
    • Provider
    • Unique access key ID and the secret access key ID as supplied by your cloud services provider. The account secret key functions as a password. Both the access key and title should be unique so that you can't have multiple account names with the same access_id.
    • Limit objects added automatically (optional): This is the maximum number of objects found by classification that can be automatically enabled for object auditing, when the DB Auditing is enabled. You can modify this, per database, after they are discovered. Objects that are enabled automatically appear as Enabled in the managed objects window. If you want Guardium to add objects automatically, set a high but reasonable limit of what you expect the classification process to find. You also want to prevent an overflow of objects if there is a mistake in your classification, so don't set it too high. (An overflow could affect the database performance.) Zero (0) means no objects are automatically enabled for object auditing. If the number of audited objects plus the number of newly classified objects exceeds this limit, then no new objects are enabled for object auditing. For example, if set to 15, and Classification identifies 5 objects the first time it is run, then the 5 objects are assigned audit trail. If set to 15, and there are 5 objects already enabled for object auditing, and the next run of Classification identifies 16 objects, then no new objects are enabled for object auditing. If set to 15, and there are 5 objects already enabled for object auditing, and the next run of Classification identifies 5 objects, then the 5 new objects are enabled for object auditing.
  4. Optionally define the default classification. All cataloged databases in this account are assigned to this classification process. You can modify the classification process, per database, after they are cataloged.
  5. Test access to the cloud.
    1. Click Test Access. Guardium attempts to access the cloud.
    2. If Guardium fails to access the cloud: check that your Guardium system has access to Amazon; check the keys you supplied.
  6. Click Create.
    The account is created and the Cloud DB Service Accounts list updates with the new Cloud account, with its account details in the right pane.

What to do next

Discover databases and catalog them, set up classification and vulnerability assessment, and object auditing.

Modify a cloud account

All parameters except the provider can be modified.


  1. Select the cloud account under Cloud DB Service Accounts, and click wrench icon in the right pane.
  2. Modify the configuration.
  3. If any credentials were modified, test access to the cloud by clicking Test Access.
  4. Click Save.

Delete a cloud account

Deleting an account disables the object audit and the DB audit on all the databases owned by the current environment.


  1. Select the account in the Cloud DB Service Accounts pane, click minus sign, and confirm.
  2. Restart the DB from the DB console. If you do not have Amazon access to the DB, ask your DBA to disable DB auditing and to restart the DB. It's important to stop auditing and restart the DB so that the DB stops writing to the log files used by Guardium.