Contents x
      Classification Checklist for RDS Configurations
      • 25 Jul 2024
      • 1 Minute to read
      • Dark
        Light
      Contents

      Classification Checklist for RDS Configurations

      • Updated on 25 Jul 2024
      • 1 Minute to read
      • Dark
        Light
      Article summary

      Customer Managed Key Permissions for RDS

      If the RDS instances are encrypted using a Customer Managed Key with customized permissions, then the Acante lambda needs permissions to use this Key to decrypt and restore the RDS snapshots for classification.
      Note: This is not required if using the AWS Managed Key for the RDS encryption.

      Two options are supported to do this:

      Option 1: Modify the policy for the KMS Key(s)

      Add the following statement to the KMS policy for each Key(s) <key_ID>.
      Finding the <acante-sampler-lambda-Role-ARN> on your AWS console

      • IAM → Roles → Search for “acante-sampler-lambda”
      • Click on the Role shown
      • Copy the ARN and update it in the policy block below

      Add the following Statement to the statement array in the Key policy:

      {
            "Sid": "Enable KMS Key Access for Classification",
            "Effect": "Allow",
            "Principal": {
                "AWS": "<acante-sampler-lambda-Role-ARN>"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ListGrants",
                "kms:RetireGrant"
            ],
            "Resource": "arn:aws:kms:<region>:<accountID>:key/<key_ID>"
        }

      Option 2: Add a Tag to KMS Key(s)

      The Acante Sampler lambda has a tag-based policy defined allowing it access to KMS keys tagged with a tag (K:V pair) that can be provided as an input variable. The lambda is configured by default with access to the tag

      key = "acante-rdsdb-decrypt-use"
value = "true"
      • In the AWS Console, add the above tag to the KMS Key(s) of interest

      To modify the default tag, modify the Terraform file variables.tf , uncomment the lines

      sampler-kms-key-condition-tags = [{
key = "acante-rdsdb-decrypt-use"
value = "true"
}]

      You can modify the default key-value shown above if desired and apply the same change to the KMS Key(s).

      Automated Snapshots

      This is generally a standard configuration. Acante RDS classifier can classify RDS' that have Automated Snapshots enabled

      • Backup retention period should be > 0
      • Only automated snapshots are supported at this time since manual snapshots may have partial content

      Tag Propagation to Snapshots

      Tags from RDS should be propagated to the snapshots

      What's Next