IBM Security Guardium

 View Only

Hybrid Cloud Data Protection using AWS DAS

By Gali Diamant posted Tue July 09, 2019 07:02 PM

  

This is part 2 of our Hybrid Multicloud Data Protection with IBM Security Guardium series. Read the introduction here, part 1 can be found here.

New in Guardium V11, Guardium has integrated with AWS to use AWS Database Activity Monitoring (DAS) to consume audit information from Aurora PostgreSQL instances.

An activity information stream is pushed from the DB instance to an Amazon Kinesis data stream. Guardium connects to the stream to read this information.

This capability provides a near real-time stream of database activity from the relational database.

streaming.png

Setup

Setting up is required on AWS as well as on Guardium, to connect the ends and enable streaming between the two products.

No additional components need to be installed for supporting the streaming.

 

In your AWS console:

  • Create a new KMS key
  • Create an Amazon RDS cluster that uses Aurora PostgreSQL-compatible with PostgreSQL 10.7 database engine
  • Enable Database Activity Monitoring
  • Define an AWS IAM policy

In your Guardium GUI

  • Define a Guardium cloud DB service account

Limitations

  • DAS is supported for Aurora PostgreSQL v11.7.
  • DAS is not supported in all AWS regions.
  • The following is not sent by AWS
    • Returned data
    • SQL errors
  • Since data is collected and sent by AWS, some Guardium features are not supported:
    • S-TAP-related policies such as S-GATE, Ignore, Terminate, Redact
    • Extrusion rules

More information about Cloud DB Data Protection can be found at https://www.ibm.com/support/knowledgecenter/en/SSMPHH_11.0.0/com.ibm.guardium.doc/discover/cloud_db_add_stream.html

For AWS documentation regarding Data Activity Monitoring, see
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.html

 

 


 

0 comments
16 views

Permalink