For Amazon Relational Database (RDS) in AWS, if direct connectivity is not available, the snapshot based scan approach can be leveraged.
Steps for AWS RDS Snapshot Based Scanning
These are the steps that the DSPM Data Scanner automation will use to scan AWS RDS Snapshots. No user action is required.
- For each RDS instance, check if the snapshot is available
-
If the snapshot is available, recreate the RDS instance in the DSPM VPC using the latest snapshot, and configure the DSPM credential for database access
If the snapshot is encrypted, use the corresponding kms key to decrypt the snapshot and then recreate the RDS instance.
- Connect to the databases, fetch the data and run scan
- Delete the recreated instance in DSPM VPC
Permissions Required
Permissions required for the DSPM Data Scanner to restore AWS RDS Snapshots
# Grants permission to add only requested tag mentioned in condition to RDS instance and snapshot.
- Sid: RDSPermissionForTagging
Action:
- rds:AddTagsToResource
Effect: Allow
Resource:
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:db:*"
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:cluster:*"
Condition:
StringEquals:
"aws:RequestTag/Name": "Normalyze-{{ONBOARDING_ID}}"
# Grants permission to restore an instance/cluster from any snapshot.
- Sid: RDSPermissionForInstanceRestore
Action:
- rds:RestoreDBInstanceFromDBSnapshot
- rds:RestoreDBClusterFromSnapshot
- kms:Decrypt # Require to restore encrypted db snapshot using KMS keys
Effect: Allow
Resource:
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:snapshot:*"
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:cluster-snapshot:*"
- !Sub "{{ARN_PREFIX}}:kms:*:${AWS::AccountId}:key/*"
# Grants permission to restore instance/cluster with a tag mentioned in the condition.
- Sid: RDSLimitedPermissionForInstanceRestore
Action:
- rds:RestoreDBInstanceFromDBSnapshot
- rds:RestoreDBClusterFromSnapshot
- rds:CreateDBInstance
Effect: Allow
Resource:
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:db:*"
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:cluster:*"
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:subgrp:*"
- !Sub "{{ARN_PREFIX}}:ec2:*:${AWS::AccountId}:security-group/*"
Condition:
StringEquals:
"aws:RequestTag/Name": "Normalyze-{{ONBOARDING_ID}}"
# Grants permission to use the kms key.
# KMS key is used only for Decrypt operation during RDS DB/Cluster restore.
# DescribeKey & CreateGrant permission are required for performing Decrypt operation
- Sid: KMSPermissionsToUseKMSKey
Action:
- kms:DescribeKey
- kms:CreateGrant
Effect: Allow
Resource: "*"
# Grants permission to find vpc's and security group.
- Sid: DescribePermissionsForVPCandSecurityGroups
Action:
- ec2:DescribeVpcs
- ec2:DescribeSecurityGroups
- rds:DescribeDBClusterSnapshots
Effect: Allow
Resource: "*"Permissions required in DSPM group to delete and modify restored Database instance/cluster
- Sid: RDSPermissionDeleteRestorePermissions
Action:
- rds:DeleteDBInstance
- rds:DeleteDBSnapshot
- rds:ModifyDBInstance
- rds:DeleteDBCluster
- rds:DeleteDBClusterSnapshot
- rds:ModifyDBCluster
Effect: Allow
Resource:
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:db:*"
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:snapshot:*"
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:cluster:*"
- !Sub "{{ARN_PREFIX}}:rds:*:${AWS::AccountId}:cluster-snapshot:*"
Condition:
StringEquals:
"aws:ResourceTag/Name": "Normalyze-{{ONBOARDING_ID}}"