This is part 2 of our Hybrid Multicloud Data Protection with IBM Security Guardium series. Read the introduction here, part 1 can be found here.
New in Guardium V11, Guardium has integrated with AWS to use AWS Database Activity Monitoring (DAS) to consume audit information from Aurora PostgreSQL instances.
An activity information stream is pushed from the DB instance to an Amazon Kinesis data stream. Guardium connects to the stream to read this information.
This capability provides a near real-time stream of database activity from the relational database.
Setup
Setting up is required on AWS as well as on Guardium, to connect the ends and enable streaming between the two products.
No additional components need to be installed for supporting the streaming.
In your AWS console:
- Create a new KMS key
- Create an Amazon RDS cluster that uses Aurora PostgreSQL-compatible with PostgreSQL 10.7 database engine
- Enable Database Activity Monitoring
- Define an AWS IAM policy
In your Guardium GUI
- Define a Guardium cloud DB service account
Limitations
- DAS is supported for Aurora PostgreSQL v11.7.
- DAS is not supported in all AWS regions.
- The following is not sent by AWS
- Since data is collected and sent by AWS, some Guardium features are not supported:
- S-TAP-related policies such as S-GATE, Ignore, Terminate, Redact
- Extrusion rules
More information about Cloud DB Data Protection can be found at https://www.ibm.com/support/knowledgecenter/en/SSMPHH_11.0.0/com.ibm.guardium.doc/discover/cloud_db_add_stream.html
For AWS documentation regarding Data Activity Monitoring, see
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.html