Classification Checklist for RDS Configurations
    • 25 Jul 2024
    • 1 Minute to read
    • Dark
      Light

    Classification Checklist for RDS Configurations

    • Dark
      Light

    Article summary

    Customer Managed Key Permissions for RDS

    If the RDS instances are encrypted using a Customer Managed Key with customized permissions, then the Acante lambda needs permissions to use this Key to decrypt and restore the RDS snapshots for classification.
    Note: This is not required if using the AWS Managed Key for the RDS encryption.

    Two options are supported to do this:

    Option 1: Modify the policy for the KMS Key(s)

    Add the following statement to the KMS policy for each Key(s) <key_ID>.
    Finding the <acante-sampler-lambda-Role-ARN> on your AWS console

    • IAM → Roles → Search for “acante-sampler-lambda”
    • Click on the Role shown
    • Copy the ARN and update it in the policy block below

    Add the following Statement to the statement array in the Key policy:

    {
                "Sid": "Enable KMS Key Access for Classification",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<acante-sampler-lambda-Role-ARN>"
                },
                "Action": [
                    "kms:CreateGrant",
                    "kms:Decrypt",
                    "kms:DescribeKey",
                    "kms:Encrypt",
                    "kms:ListGrants",
                    "kms:RetireGrant"
                ],
                "Resource": "arn:aws:kms:<region>:<accountID>:key/<key_ID>"
            }
    

    Option 2: Add a Tag to KMS Key(s)

    The Acante Sampler lambda has a tag-based policy defined allowing it access to KMS keys tagged with a tag (K:V pair) that can be provided as an input variable. The lambda is configured by default with access to the tag

    key = "acante-rdsdb-decrypt-use"
    value = "true"
    
    • In the AWS Console, add the above tag to the KMS Key(s) of interest

    To modify the default tag, modify the Terraform file variables.tf , uncomment the lines

    sampler-kms-key-condition-tags = [{
    key = "acante-rdsdb-decrypt-use"
    value = "true"
    }]
    

    You can modify the default key-value shown above if desired and apply the same change to the KMS Key(s).

    Automated Snapshots

    This is generally a standard configuration. Acante RDS classifier can classify RDS' that have Automated Snapshots enabled

    • Backup retention period should be > 0
    • Only automated snapshots are supported at this time since manual snapshots may have partial content

    Tag Propagation to Snapshots

    Tags from RDS should be propagated to the snapshots