Skip to content

Database Access

Hint

Database Access configuration is not required to run scans and begin securing your public cloud. However, without it, we can not fully secure your environment.

Setting up asset discovery will unlock much of SecureCloudDB's functionality for you, however, extended audits require additional access. The next step in securing your cloud environment is to setup SecureCloudDB to scan within your databases.

  1. To get started with database access configuration, select Setup > Database Access from the left navigation menu and click the blue circle with a plus sign in the center to begin.

  2. Decide a name for your database access configuration, or accept the randomly generated one:

  3. The next step is deciding how to authenticate to the database. If you have not yet done so, you will need to create a self-hosted agent within your cloud account. Once completed, you have several options to authenticate:

    Username and Password

    We do not recommend you use the master username and password for user with SecureCloudDB. Instead, you should create a user with read only access to system tables for SecureCloudDB to use.

    To create a new user:

    1. First, you need to log into the DB using the mysql utility:
      mysql -h your-dbserver.us-east-1.rds.amazonaws.com -u <YOUR_USERNAME> -p <YOUR_PASSWORD> 
      
    2. Create the new user using the IP of the host from where your application will be connecing to the DB.
      CREATE USER 'secureclouddb-ReadOnly'@'client-host-ip' IDENTIFIED BY 'password';
      
    3. Next, assign privileges for the user to read the DB:
      mysql> GRANT SELECT ON * . * TO 'secureclouddb-ReadOnly'@'123.45.67.89';
      

    AWS RDS Token

    With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you can use an authentication token. An authentication token is a unique string of characters that Amazon RDS generates on request. In order to generate a token, you need to create an IAM Role or create an IAM User first. Once complete, you can choose to assume a role (if you created a role), manually set your access key (if you created a user), or use an AWS Instance Profile service.

    AWS Systems Manager Parameter Store

    AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. Given a parameter and a method to authenticate, we can securely retrieve the password from the parameter store.

  4. Now that you have your safe access configured, you need to decide which databases you want to apply the configuration to. You can select the databases menu under the Select Databases section to get a list of all the databases that have been previously scanned. In addition, you can apply this configuration to databases by Provider (e.g. AWS, Azure, etc...) and Service (e.g. DynamoDB, RDS, etc...) tags.

  5. Finalize the database access configuration. On the last step, you will see a summary of your settings. If everything is correct, you can select the Create button to finish.