IBM & Red Hat on AWS
Monitoring Amazon Aurora databases with IBM Guardium
In an ever-changing IT landscape where data resides in multiple data sources, it is crucial to have a well-defined monitoring strategy and tools to protect your data. In order to monitor traffic in a traditional database implementation, you would typically install an agent in the database server. The agent would then collect the information from the database server it is installed on and pass it to a central monitoring engine for analysis.
As fully managed database services like Amazon Relational Database Service (Amazon RDS) are widely adopted, where AWS does the undifferentiated heavy lifting for the customer, installing agents is not a desired approach. This is where IBM Guardium External S-TAP comes into play. It is a component of IBM Guardium suite of products that can intercept database traffic without having to install an agent on the database server. You can deploy the External S-TAP on Kubernetes platforms like Amazon Elastic Kubernetes Service (Amazon EKS) or Red Hat OpenShift Service on AWS (ROSA).
In this blog, we will show you how IBM Guardium External S-TAP deploys on Amazon EKS and can monitor Amazon Aurora PostgreSQL traffic.
IBM Guardium overview
Amazon Aurora PostgreSQL is a fully managed, PostgreSQL-compatible, and ACID-compliant relational database engine that combines the speed, reliability, and manageability of Amazon Aurora with the simplicity and cost-effectiveness of open-source databases. IBM Guardium provides database activity monitoring and data protection capabilities for a wide range of platforms.
IBM Guardium continuously monitors the activity within your Amazon Aurora databases in real-time. It captures and analyzes database activity including SQL statements, login attempts, and administrative actions. By providing immediate visibility into database activity, IBM Guardium enables you to promptly identify and respond to suspicious or unauthorized activities. It employs advanced analytics and machine learning techniques to detect and prevent potential security threats. It also helps safeguard sensitive data stored in Amazon Relational Database Service (Amazon RDS) by enforcing data protection policies. You can establish granular access controls and monitor privileged user activities within your Amazon RDS environment.
IBM Guardium helps organizations maintain compliance with a wide range of regulations and standards, including GDPR, HIPAA, PCI DSS, and more. It provides pre-built compliance reports and templates, as well as customizable policies and rules, to help you meet your compliance requirements.
Solution architecture
Figure 1. Monitoring Amazon Aurora with IBM Guardium S-TAP.
As shown in Figure 1 above, the IBM Guardium External S-TAP runs in an Amazon EKS cluster. It intercepts traffic between clients and the database server, and forwards a copy of the traffic to an IBM Guardium Central Manager (IBM Guardium CM) for analysis and policy application. The Amazon EKS cluster manages the External S-TAP containers and also a Network Load Balancer (NLB).
The NLB is assigned an external IP address, which becomes the new database endpoint. The IBM Guardium CM controls and monitors the entire IBM Guardium environment from a single console. It can also act as an IBM Guardium Collector. In our example architecture we have the IBM Guardium S-TAP in a separate Amazon Virtual Private Cloud (Amazon VPC) compared to the IBM Guardium CM and Amazon Aurora. You should choose the Amazon VPC architecture that best suits your organizations needs and policies.
If IBM Guardium detects a security threat or compliance violation, it can trigger an alert or notification. You can configure IBM Guardium to automatically respond to these alerts, such as by blocking the offending user or IP address, or by sending an email notification to your security team. This helps you quickly respond to potential security threats and minimize the impact on your business.
In the following sections, we will show the step by step process to deploy IBM Guardium External S-TAP on Amazon EKS and configure it to capture database traffic.
Prerequisites
This post assumes that you have the following prerequisites:
- An AWS account with permission to create required resources.
- AWS Identity and Access Management (IAM) permission to create an IAM role.
- IBM Guardium license to run on Amazon Elastic Compute Cloud (Amazon EC2).
- Deploy IBM Guardium from the AWS Marketplace:
- Use an existing or create a new key pair from the Amazon EC2 console.
- Follow the instructions to setup IBM Guardium from the AWS Marketplace using your key pair.
- Take note of the IP address of your Amazon EC2 instance running IBM Guardium, you will use it on step 18 of the Implementation steps section.
- Basic knowledge of Amazon Aurora and Amazon VPC configurations.
- Docker hub credentials
- A bastion host of your choice with the following command line tools installed:
- AWS CLI
- eksctl
- kubectl
- A database client on your workstation, or the psql client on the bastion host. This will be used to issue SQL commands when validating IBM Guardium S-TAP monitoring.
Costs
You are responsible for the cost of the AWS services used when deploying IBM Guardium in your AWS account. For cost estimates, see the pricing pages for each AWS service you use.
Implementation steps
Create an Aurora PostgreSQL DB cluster
1. Create an Aurora PostgreSQL DB cluster, following the steps in Creating and connecting to an Aurora PostgreSQL DB cluster.
Amazon EKS cluster setup
For the purpose of this blog post we have created an Amazon EKS cluster with 2 t3.medium nodes, your requirements may vary.
2. Connect to your bastion host to create an Amazon EKS cluster with the eksctl command. You can also create your cluster from the Amazon EKS console.
3. Execute commands below from your bastion host, to connect to the Amazon EKS cluster:
$ aws eks update-kubeconfig --region <EKS_Cluster_AWS_Region> --name <Cluster_Name>
$ kubectl config set-context --current --namespace=kube-system4. Retrieve the Amazon EKS cluster master url and save it in a text editor of your choice. We will use this later to configure IBM Guardium:
kubectl cluster-info5. Create an Amazon EKS admin user:
$ kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: <service-account-name>
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: <cluster-role-binding-name>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: <cluster-role-name>
subjects:
- kind: ServiceAccount
name: <service-account-name>
namespace: kube-system
EOF6. Generate a service account token and authentication token for the admin user created in the previous step. It will be used to configure the external S-TAP in IBM Guardium:
$ kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: <serice-account-name>-token
annotations:
kubernetes.io/service-account.name: <service-account-name>
type: kubernetes.io/service-account-token
EOF7. Retrieve the admin user secret/authentication token to configure the external S-TAP:
$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep <admin-name> | awk '{print $1}')8. Create a docker credential secret to pull the external S-TAP container image from the docker hub registry:
$ kubectl create secret docker-registry <secret_name> \
--docker-server=docker.io \
--docker-username=<DOCKER_USERNAME> \
--docker-password=<DOCKER_PASSWORD> \
--docker-email=<DOCKER_EMAIL>9. IBM Guardium S-TAP uses TLS certificates for secure communication. Connect to your IBM Guardium Amazon EC2 instance, with the key pair used to install IBM Guardium to retrieve the certificate for external s-tap:
$ ssh -i <ssh_key_file> cli@<IBM Guardium_CM_ip>10. Run the following command to retrieve the SSL certificate token to configure in IBM Guardium (figure 2):
$ show certificate external_stap
Figure 2. SSL certificate service account token.
Deploy external S-TAP from the IBM Guardium admin console
11. Log in to your IBM Guardium CM admin console. On the Menu choose Manage, then choose Activity Monitoring, then select External S-TAP Control. Select the + button present on top left corner to add a new external S-TAP.
12. Configure the Amazon EKS cluster and external S-TAP preferences in the Kubernetes tab (figure 3):
Figure 3. Configure external S-TAP in Amazon EKS.
13. Click on the Docker tab to configure the Docker Hub information to retrieve the container image (figure 4):
Figure 4. Configure external s-tap docker image and credentials.
14. Open the Amazon RDS console and click on Databases to display a list of your database instances.
15. Click on your Amazon Aurora PostgreSQL created on step 1 (figure 5).
16. On the Connectivity & security tab, copy the endpoint name and port as shown in figure 5:
Figure 5. Retrieve your Amazon Aurora PostgreSQL endpoint name and port.
17. Navigate back to the IBM Guardium console. From the Database tab, enter the information collected in the previous step to configure your database details in External S-TAP (figure 6):
Figure 6: Configure Amazon Aurora host and port for the External S-TAP.
18. In the Guardium tab (figure 7) enter the IP address of the Amazon EC2 instance running IBM Guardium as mentioned in the pre-requisites section of this blog:
Figure 7. Enter the IP address of the Amazon EC2 instances running IBM Guardium.
19. Configure the certificate details for the external s-tap secure connection (figure 8):
Figure 8: Configure SSL certificates for the external S-TAP connection.
20. Click on the Apply button to deploy the external S-TAP on Amazon EKS. You should see the external S-TAP in the IBM Guardium Console with status Green (figure 9):
Figure 9. External S-TAP status on Amazon EKS.
Validation
21. Run the below command to retrieve the External S-TAP service hostname:
$ kubectl get svc -n kube-system22. Create a new connection from your DB client UI or the psql client in the bastion host. Use the external S-TAP service hostname and the Amazon Aurora endpoint and port, username and password (figure 10):
Figure 10. Create Amazon Aurora connection in DB client.
23. Post successful connection, generate traffic by running create or select commands (figure 11):
Figure 11. Generate SQL traffic in Amazon Aurora.
24. The external S-TAP captures the traffic and makes it visible in the IBM Guardium dashboard (figure 12):
Figure 12. IBM Guardium Dashboard showing Amazon Aurora traffic details.
This validation shows you how the IBM Guardium external S-TAP is intercepting traffic from Amazon Aurora for monitoring. You can also create policies in your IBM Guardium console to enforce security as a business requirement.
Clean up
To clean up resources, complete the following steps:
- Terminate your IBM Guardium Amazon EC2 instance following the steps given here.
- Delete your Amazon Aurora PostgreSQL instance following the steps given here.
- Delete your Amazon EKS managed node group following the steps given here.
- Delete your Amazon EKS cluster following the steps given here.
Summary
Integrating IBM Guardium with Amazon RDS provides the security, compliance, and data protection capabilities that you need for your database infrastructure. By leveraging IBM Guardium’s advanced monitoring, threat detection, and compliance reporting features, you can confidently manage your data and mitigate risks in your Amazon RDS environment. In this post, you learned how to configure External S-TAP for monitoring, data protection and also define the policies via IBM Guardium console.