Cloud database service protection Amazon AWS setup

You can use AWS database activity monitoring to provide cloud database service protection with Guardium®. Before you can define a Guardium cloud DB service account, you need to perform a few setup steps.

Note: AWS supports data activity monitoring only for new clusters.

Create an Amazon RDS cluster

To use database activity monitoring, create an Amazon RDS cluster that uses Aurora PostgreSQL-compatible with PostgreSQL 10.7 database engine.

Take the following steps to create the Amazon RDS cluster:
  1. From your AWS account, create a new KMS key (do not use the default KMS key).
  2. Create an Amazon RDS cluster in a region that supports data activity monitoring (DAS).
  3. Wait until the cluster and instances are created before you enable the database activity monitoring.
Note: Note the following limitations on database activity monitoring traffic:
  • The following rules and policies are not supported:
    • Returned data and extrusion rules
    • Policies that interact with S-TAP (such as S-GATE, Ignore, Terminate)
    • SQL errors (AWS limitation)
  • Audit data is processed in the order that it was received
  • If more than one Guardium collector consumes from a stream, traffic is randomly distributed (because each collector has a different session ID)

Define the AWS Identity and Access Management policy

Define the Identity and Access Management (IAM) policy for your AWS account as described in Define AWS IAM for data streams.

After you create the Amazon RDS cluster and define the AWS IAM policy, you can define a Guardium cloud DB service account, as described in Define, modify, and delete AWS cloud DB service accounts.