Grant Teleskope Access to RDS

Attach the AmazonRDSReadOnlyAccess to the Teleskope role you created.

Terraform

resource "aws_iam_role_policy_attachment" "rds_policy" {
  role       = "TeleskopeReadOnlyRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
}

IAM Database Authentication

IAM authentication is the most secure database authentication method, since it generates a unique token on every request, eliminating the need to store database user credentials.

Grant IAM Database Access

Grant the following policy to the Teleskope Read role you created.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:*:*:dbuser:*/teleskope_ro"
         ]
      }
   ]
}

Teleskope Database User

For each RDS cluster you would like to scan using Teleskope, you will need to create an IAM database user, or create/provide credentials for a database user, and grant that user read permissions.

Create Teleskope User

Create IAM Database User

MySQL or MariaDB

CREATE USER teleskope_ro IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Postgres

CREATE USER teleskope_ro; 
GRANT rds_iam TO teleskope_ro;

Create Database User (Without IAM Authentication)

MySQL or MariaDB

CREATE USER teleskope_ro IDENTIFIED BY '****PASSWORD****'

Postgres

CREATE USER teleskope_ro WITH PASSWORD  '****PASSWORD****'

Grant Read Access to Teleskope user

MySQL or MariaDB

GRANT SHOW DATABASES, SELECT ON *.* TO teleskope_ro

Postgres versions 14+

GRANT pg_read_all_data TO teleskope_ro

Postgres versions < 14

SELECT format('GRANT CONNECT ON DATABASE %I TO teleskope_ro;', datname) FROM pg_database \gexec
SELECT format('GRANT USAGE ON SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec
SELECT format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec