RDS
Integrate RDS with Teleskope
Requirements
Name | Description |
---|---|
Teleskope Role | Attach RDS read and/or write permissions to the Teleskope IAM role you created |
Username and password | Create a read and/or write database user for each RDS cluster you'd like us to scan |
SSH Tunnel (Optional) | If your RDS instances are in a private subnet and you don't want to enable VPC peering, create a bastion host for us to use to access your RDS instances. |
Grant Teleskope Read IAM Access to RDS
Teleskope needs read access to automatically discover all of your RDS clusters and instances.
Attach the AmazonRDSReadOnlyAccess to the Teleskope role you created.
Terraform
resource "aws_iam_role_policy_attachment" "rds_policy" {
role = "TeleskopeRole"
policy_arn = "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
}
Grant Teleskope Read and Write IAM Access to RDS
Teleskope needs write access take enforce remediation policies such as tagging, deletion, etc.
Attach the AmazonRDSFullAccess to the Teleskope role you created.
Terraform
resource "aws_iam_role_policy_attachment" "rds_policy" {
role = "TeleskopeRole"
policy_arn = "arn:aws:iam::aws:policy/AmazonRDSFullAccess"
}
Teleskope Database User
For each RDS cluster you would like to scan using Teleskope, you will need to create an IAM database user, or create/provide credentials for a database user, and grant that user permissions.
Create Teleskope User
Create IAM Database User
MySQL or MariaDB
CREATE USER teleskope_ro IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
Postgres
CREATE USER teleskope_ro;
GRANT rds_iam TO teleskope_ro;
Create Database User (Without IAM Authentication)
MySQL or MariaDB
CREATE USER teleskope_ro IDENTIFIED BY '****PASSWORD****'
Postgres
CREATE USER teleskope_ro WITH PASSWORD '****PASSWORD****'
Grant Read Access to Teleskope user
MySQL or MariaDB
GRANT SHOW DATABASES, SELECT ON *.* TO teleskope_ro
Postgres versions 14+
GRANT pg_read_all_data TO teleskope_ro
Postgres versions < 14
SELECT format('GRANT CONNECT ON DATABASE %I TO teleskope_ro;', datname) FROM pg_database \gexec
SELECT format('GRANT USAGE ON SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec
SELECT format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec
Grant Write Access to Teleskope user
MySQL or MariaDB
GRANT UPDATE, DELETE on *.* TO teleskope_ro
Postgres versions 14+
GRANT pg_write_all_data TO teleskope_ro
Postgres versions < 14
SELECT format('GRANT UPDATE, DELETE ON ALL TABLES IN SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec
SSH Tunnel (Optional)
- Launch an EC2 instance in a public subnet to serve as the SHH tunnel Bastion Host.
- The public key for the key-pair parameter will be provided by Teleskope: teleskope-bastion-key.
- Designate Teleskope AWS account access within your security group(s). IP addresses will be provided by Teleskope.
- Assign an Elastic IP (EIP) to the bastion host.
- Adjust route tables and security groups as needed to provide access to the RDS instance through the bastion host.
- Provide Teleskope with the bastion username, and the bastion elastic IP.
Updated about 2 months ago