RDS

Integrate RDS with Teleskope

Suggest Edits

Requirements

NameDescription
Teleskope RoleAttach RDS read and/or write permissions to the Teleskope IAM role you created
Username and passwordCreate a read and/or write database user for each RDS cluster you'd like us to scan
SSH Tunnel (Optional)If your RDS instances are in a private subnet and you don't want to enable VPC peering, create a bastion host for us to use to access your RDS instances.

Grant Teleskope Read IAM Access to RDS

Teleskope needs read access to automatically discover all of your RDS clusters and instances.

Attach the AmazonRDSReadOnlyAccess to the Teleskope role you created.

Terraform

resource "aws_iam_role_policy_attachment" "rds_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRDSFullAccess"
}

Grant Teleskope Read and Write IAM Access to RDS

Teleskope needs write access take enforce remediation policies such as tagging, deletion, etc.

Attach the AmazonRDSReadOnlyAccess to the Teleskope role you created.

Terraform

resource "aws_iam_role_policy_attachment" "rds_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRDSFullAccess"
}

IAM Database Authentication

IAM authentication is the most secure database authentication method, since it generates a unique token on every request, eliminating the need to store database user credentials.

Grant IAM Database Access

Grant the following policy to the Teleskope Read role you created.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:*:*:dbuser:*/teleskope_ro"
         ]
      }
   ]
}

Teleskope Database User

For each RDS cluster you would like to scan using Teleskope, you will need to create an IAM database user, or create/provide credentials for a database user, and grant that user permissions.

Create Teleskope User

Create IAM Database User

MySQL or MariaDB
CREATE USER teleskope_ro IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
Postgres
CREATE USER teleskope_ro; 
GRANT rds_iam TO teleskope_ro;

Create Database User (Without IAM Authentication)

MySQL or MariaDB
CREATE USER teleskope_ro IDENTIFIED BY '****PASSWORD****'
Postgres
CREATE USER teleskope_ro WITH PASSWORD  '****PASSWORD****'

Grant Read Access to Teleskope user

MySQL or MariaDB

GRANT SHOW DATABASES, SELECT ON *.* TO teleskope_ro

Postgres versions 14+

GRANT pg_read_all_data TO teleskope_ro

Postgres versions < 14

SELECT format('GRANT CONNECT ON DATABASE %I TO teleskope_ro;', datname) FROM pg_database \gexec
SELECT format('GRANT USAGE ON SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec
SELECT format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec

Grant Write Access to Teleskope user

MySQL or MariaDB

GRANT UPDATE, DELETE on *.* TO teleskope_ro

Postgres versions 14+

GRANT pg_write_all_data TO teleskope_ro

Postgres versions < 14

SELECT format('GRANT UPDATE, DELETE ON ALL TABLES IN SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec

SSH Tunnel (Optional)

  1. Launch an EC2 instance in a public subnet to serve as the SHH tunnel Bastion Host.
    1. The public key for the key-pair parameter will be provided by Teleskope: teleskope-bastion-key.
    2. Designate Teleskope AWS account access within your security group(s). IP addresses will be provided by Teleskope.
    3. Assign an Elastic IP (EIP) to the bastion host.
  2. Adjust route tables and security groups as needed to provide access to the RDS instance through the bastion host.
  3. Provide Teleskope with the bastion username, and the bastion elastic IP.

Updated 13 days ago