This document describes the creation of resources that are required for DSPM to connect to your AWS Account for Data Scanning.
The compute workloads (Lambda Functions and EC2 instances) can be created in a VPC of your choosing via two different options.
Option 1: Automated via Tagged VPC
- DSPM deploys compute workloads in VPC when it finds below tags on following resource types.
- Note: The VPC is not deleted by DSPM with this option.
- Note: For the VPC there should be egress connectivity configured to connect to the DSPM Control Plane.
- These resources need to be created in the region where the data stores are present and would be included in the scans.
The presumption considered for this document is that for egress connectivity NAT Gateway is being used. But, there are other mechanisms for egress traffic, such as Transit Gateway, etc.
The details for each of the resources, and the required Tags are outlined in the following table:
VPC
Tags
Key: used_by
Value: normalyze-<Onboarding-Id>
Description
Create a new VPC or tag an existing one.
Private Subnet1
Tags
Key: used_by
Value: normalyze-<Onboarding-Id>
Key: is_private_subnet
Value: True
Description
EC2 and lambda functions are deployed in the private subnet.This subnet will need access outside VPC (egress) for the following reasons:
1. Reach back DSPM Control Plane to update the results.
2. EC2 to reach outside the VPC to download 3rd party packages.
3. To access data stores outside VPC.
Private Subnet2
Tags
Key: used_by
Value: normalyze-<Onboarding-Id>
Key: is_private_subnet
Value: True
Description
EC2 and lambda functions are deployed in the private subnet.This subnet will need access outside VPC (egress) for the following reasons:
1. Reach back DSPM Control Plane to update the results.
2. EC2 to reach outside the VPC to download 3rd party packages.
3. To access data stores outside VPC.
Security group [for EC2]
Create a Security Group with following name Security Group Name : “Normalyze EC2 security group”
The name of the Security Group being created should be exactly as mentioned above in bold since DSPM picks up the SG based on the combination of name and the tag value.
Tag
Key: used_by
Value: normalyze-<Onboarding-Id>
Description
This security group is attached to the EC2 instance which is created during the Data scan operation, with no inbound rule and allowing all outgoing IPv4 traffic as mentioned in resource.
Security group [for RDS]
Create a Security Group with following name Security Group Name : “Normalyze data-scan security group”
The name of the Security Group being created should be exactly as mentioned above in bold since DSPM picks up the SG based on the combination of name and the tag value.
Tags
Key: used_by
Value: normalyze-<Onboarding-Id>
Description
This security group is attached to the EC2 instance where RDS snapshot is restored by DSPM in the VPC. It allows Inbound rule only from the Normalyze EC2 security group.
DB Subnet Group
Create a RDS Subnet Group with the following Name format : “normalyze-<Onboarding ID>”
The name of the RDS Subnet Group being created should be exactly as mentioned above in bold since DSPM picks up the Subnet Group based on the combination of name and the tag value.
Tags
Key: Name
Value: Normalyze-<Onboarding-Id>
Description
This resource is attached to the RDS instance which is restored by DSPM in the VPC.
[Note] : Associate the private subnets to this resource. Public subnet should not be attached to this resource.
Egress Connectivity Resources
NAT Gateway
Description
Create and configure a NAT Gateway to route the private traffic (from VPC) to outside which would enable it to reach the DSPM Control Plane.
Public Subnet
Tags
Key: used_by
Value: normalyze-<Onboarding-Id>
Key: is_public_subnet
Value: True
Description
If using NAT Gateway, then the Public subnet is required to route egress traffic from VPC outside.
If you wish to programmatically create these resources , that can be done using Terraform (TF) or CloudFormation Template (CFT). For both these cases, the sample scripts are provided in the next section.
Option 2: Automated via Infrastructure as Code
The next option to create the resources is to use the DSPM provided scripts. These scripts contains all of the details for the required resources: VPC, Security Group, Subnets, DB Subnet Group, Routes, Internet Gateway, NAT Gateway.
The VPC CIDR IP block address can be set while applying the CFT template in AWS CloudFormation, based on the available addresses that would be used by the DSPM application.
Create Resources via a Terraform Template
See AWS: Using Terraform for Resource Creation.