AWS Database Blog

Configure Amazon Aurora PostgreSQL database activity streams for monitoring in IBM Guardium

In this post, we guide you through the steps to setting up Amazon Aurora PostgreSQL-Compatible Edition database activity streams (DAS) for monitoring in IBM Guardium. Here, we are using IBM Guardium version 11.5.

Aurora PostgreSQL-Compatible is a fully managed, PostgreSQL-compatible, ACID-compliant relational database engine that combines the speed, reliability, and manageability of Amazon Aurora with the simplicity and cost-effectiveness of open-source databases.

IBM Guardium is an IBM Security product that provides database activity monitoring and data protection capabilities. IBM Guardium continuously monitors the activity within your Aurora databases in real time. It captures and analyzes SQL statements, login attempts, and administrative actions. By providing immediate visibility into database activity, Guardium enables you to promptly identify and respond to suspicious or unauthorized activities. It employs advanced analytics and machine learning (ML) techniques to detect and prevent potential security threats. It also helps safeguard sensitive data stored in Amazon Relational Database Service (Amazon RDS) by enforcing data protection policies.

You can establish granular access controls and monitor privileged user activities within your Amazon RDS environment. IBM Guardium helps organizations maintain compliance with a wide range of regulations and standards, including GDPR, HIPAA, PCI DSS, and more. It provides pre-built compliance reports and templates, as well as customizable policies and rules, to help you meet your compliance requirements. Refer to Supported Platforms and Requirements for Guardium Data Protection 11.5 to find platforms supported by IBM Guardium.

Solution overview

The following diagram illustrates the high-level steps to configure Aurora DAS for monitoring in IBM Guardium.

The workflow includes the following steps:

  1. Enable database activity streams. If you get the error “You can’t start a database activity stream in this configuration,” check Supported DB instance classes for database activity streams to see whether your DB cluster is using a supported instance class.
  2. Aurora creates an Amazon Kinesis data stream automatically. You can get the status of an activity stream for your RDS database instance using the Amazon RDS console or the AWS Command Line Interface (AWS CLI).
  3. Configure the Kinesis data stream in IBM Guardium. IBM Guardium is data collector, which runs on Amazon Elastic Compute Cloud (Amazon EC2) and captures database activity from your RDS instances.
  4. After you configure DAS in IBM Guardium, you are ready to configure the IBM Guardium policies that define what data to collect and how to handle it.

IBM Guardium allows you to analyze the data captured from Amazon RDS to gain deeper insights into database activity. You can use IBM Guardium’s built-in analytics capabilities to identify trends and patterns, detect anomalies, and generate reports. This helps you better understand how your databases are being used and identify areas where you may need to improve security or compliance. You can also set up alerts and notifications to notify you of potential security threats or compliance violations.

If IBM Guardium detects a security threat or compliance violation, it can trigger an alert or notification. You can configure IBM Guardium to automatically respond to these alerts, such as by blocking the offending user or IP address, or by sending an email notification to your security team. This helps you quickly respond to potential security threats and minimize the impact on your business.

In the following sections, we present the steps to enable the data activity stream and configure the IBM Guardium instance on Amazon EC2.

Prerequisites

This post assumes that you have the following prerequisites:

Start a database activity stream

To enable database activity monitoring, follow the steps in Starting a database activity stream.

Create an IAM role

The IAM role allows the delegation of temporary permission to access AWS services, thereby avoiding long-term credentials. For more information, refer to Creating IAM roles. Complete the following steps:

  1. Create a role with the following IAM policies:
    a. Guardium-das-policy:

    {{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kinesis:ListStreams",
                    "cloudwatch:PutMetricData",
                    "cloudwatch:GetMetricStatistics"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "kinesis:RegisterStreamConsumer",
                    "kinesis:DescribeStreamConsumer",
                    "kinesis:DescribeStreamSummary",
                    "kinesis:DescribeStream",
                    "kinesis:GetShardIterator",
                    "kinesis:GetRecords",
                    "kinesis:ListShards",
    		   "kinesis:ListStreamConsumers",
                    "kinesis:SubscribeToShard"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "kms:Decrypt"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "dynamodb:CreateTable",
                    "dynamodb:DescribeTable",
                    "dynamodb:GetItem",
                    "dynamodb:PutItem",
                    "dynamodb:Scan",
                    "dynamodb:UpdateItem",
                    "dynamodb:DeleteItem"
                ],
                "Resource": "*"
            }
        ]
    }}

    b. assume-role:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "sts:AssumeRole"
                ],
                "Resource": "*"
            }
        ]
    }
  2. Add the following IAM trust policy statement:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "ec2.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            },
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS":"arn:aws:sts::<<account-id>>:assumed-role/<<iam-rolename>>/<<Guardium-instance-id>>"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }

    You can further restrict these permissions as needed.

    Now you can attach the role to the IBM Guardium EC2 instance.

  3. On the Amazon EC2 console, choose Instances in the navigation pane.
  4. Select your Guardium instance.
  5. On the Actions menu, choose Security, then choose Modify IAM role.
  6. Choose the IAM role that you created to attach to the Guardium instance.
  7. Choose Save.

Configure the data activity stream in IBM Guardium

Complete the following steps to configure the data activity stream in Guardium:

  1. Log in to the IBM Guardium web console.
  2. Browse to Discover, Database Discovery, Cloud DB Service Protection.
  3. Create a Cloud DB Service Account with the following details:
    • For Name, enter Cloud DB Service Account.
    • For Provider, choose Amazon.
    • For Audit type, select Data Streams.
    • For Authentication type, select IAM Instance Profile.
    • For Role ARN, enter the ARN of the role created.
  4. Choose Create.
  5. Select the row of each Region whose streams you want to discover and choose Discover.
  6. Optionally, use the filter to limit your search. For example, enter us to show only data streams that contain the letters “us.”

    IBM Guardium searches the Regions and adds any new streams from the selected Regions to the Streams table.
  7. Select a stream and then choose Enable Monitoring.
  8. In Start monitoring stream, provide the following information:
    1.  For DB Type, choose the database type (for this post, choose Aurora PostgreSQL).
    2. For DB DNS endpoint, enter your DB DNS endpoint.
      You can find the DB DNS endpoint on the Connectivity & Security tab on the Amazon RDS console. You have to select the endpoint of Writer Instance.
    3. For Port, enter the DB DNS endpoint port (for example, 5432).
    4. For Cluster resource ID, enter a cluster resource ID for the RDS cluster associated with the stream.
      You can find the Cluster resource ID on the Amazon RDS Configuration tab with label Resource ID. If you enter an invalid or unknown cluster resource ID, an error is reported in the status for the stream.
    5. For Consumer group name, enter a meaningful name.
      This determines whether multiple consumers have a shared or separate view of this data stream. The consumer group name can be any unique name. To share the data stream view, use the same consumer group name.
  9. Choose OK.

After your data streams are enabled and running, you can use the Streams table to track and manage the data streams. The meaning of the status colors is as follows:

  • Green – Good or stream is enabled and receiving inbound records
  • Blue – Not yet configured
  • Grey – Unavailable
  • Yellow – Warning, usually with the message consumerNoInboundRecords
  • Red – An error condition

IBM Guardium policies

After you configure the DAS in IBM Guardium, you can set policies, rules, and actions applied in real time to the database traffic observed by a Guardium system. Policies define which traffic is ignored or logged, which activities require more granular logging, and which activities should trigger an alert or block access to the database. To know more about types of policies and rules, and how to create or modify the policy, refer to Policies.

Clean up

To clean up resources, complete the following steps:

  1. On the Streams table, choose Disable Monitoring.
  2. Delete the Cloud DB Service Account.
  3. On the Amazon RDS console, navigate to the RDS instance and disable the data activity stream.
  4. Delete the RDS instance.
  5. On the Amazon EC2 console, stop the IBM Guardium EC2 instance.

Summary

Overall, integrating Amazon RDS with IBM Guardium enhances the security, compliance, and data protection capabilities of your database infrastructure. With Guardium’s advanced monitoring, threat detection, and compliance reporting features, you can confidently manage your data and mitigate risks in your Amazon RDS environment. In this post, you learned how to set up an Aurora PostgreSQL-Compatible DAS for monitoring in IBM Guardium and define the policies in IBM Guardium.

To discover more about the IBM Guardium offering, refer to the following:

If you have feedback about this post, submit it in the comments section.


Authors

Supriya Kanjilal is AWS Security Architect at IBM with more than 15 years of industry experience, specialized in cybersecurity and cloud migration strategy. He is working on an IBM-AWS strategic partnership. In his role, he helps customers design, plan, and architect IBM software solutions on the AWS Cloud.

Rishit G. Barochia is a Cloud Software Architect at IBM. His experience includes technical architecture, cloud, microservices architectures, and hybrid solutions. He is working on an IBM-AWS strategic partnership. In his role, he helps customers design, plan, and architect IBM software solutions on the AWS Cloud.

Senthil Nagaraj is a Partner Solutions Architect with Amazon Web Services and is based in Virginia. He enjoys providing creative solutions for customer problems, while still being fascinated by how cloud computing is driving the art of possible.