Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How to Onboard Workload and DSPM

            Modified on Tue, 3 Sep at 5:24 PM

            Workload Security


            Workload Security Protection for EC2 on AWS: Required Permissions and SSM Agent Installation


            Objective:


            To ensure that our workload security protection on Amazon EC2 instances functions correctly, it is necessary to install the AWS Systems Manager (SSM) Agent on each EC2 instance and assign the appropriate permissions.


            1. SSM Agent Installation


            The AWS Systems Manager (SSM) Agent is a tool that runs on EC2 instances and enables the execution of various Systems Manager operations, such as sending commands and starting sessions. The SSM Agent must be installed and running on each EC2 instance that will be managed or monitored by the Systems Manager.


            2. Required IAM Permissions


            To enable the Workload Security Protection for EC2, the following AWS Identity and Access Management (IAM) permissions are required:


            • ssm:SendCommand

              • Allows sending commands to the EC2 instances via Systems Manager.
                This permission enables you to remotely execute commands (such as shell scripts, PowerShell commands, or any executable) on your EC2 instances. This is crucial for automation tasks like patching, configuration management, and software deployment.


            • ssm:StartSession

              • Allows starting a secure shell session with the EC2 instances through Systems Manager.
                This permission is used for establishing interactive one-on-one sessions with your EC2 instances. It provides a secure and auditable method to manage your instances without needing to open inbound ports or manage SSH keys.


            • ssm:CancelCommand

              • Allows canceling a running command on the EC2 instances.
                This permission lets you stop a command that was previously sent to an instance but is still in progress. It's essential for managing long-running commands that may need to be terminated if they are not behaving as expected.


            • ssm:ListCommandInvocations

              • Allows listing all commands that have been sent to your EC2 instances.
                This permission is useful for auditing and tracking purposes, allowing you to see the history of commands executed on your instances and the status of each command.


            • ssm:TerminateSession

              • Allows terminating an active session on the EC2 instances.
                This permission lets you securely end any ongoing sessions, ensuring that no unauthorized or unintended access continues after the session's intended purpose has been completed.


            • ssm:GetCommandInvocation

              • Allows retrieving the details and results of a command sent to the EC2 instances.
                This permission is crucial for understanding the outcome of any command executed on your EC2 instances, including any output generated, the status of the command, and any errors that occurred.


            3. Implementation


            Step 1: Ensure the SSM Agent is installed and running on all EC2 instances that require workload security protection. For Amazon Linux and Ubuntu, the agent may be pre-installed, but it can be installed manually using package managers like yum or apt-get for other distributions.


            Step 2: Attach an IAM role with the above-listed permissions to each EC2 instance. This IAM role should have a policy that includes these permissions, ensuring that the Systems Manager can perform the necessary operations on the instance.


            Step 3: Verify that the Systems Manager can successfully manage the EC2 instances by testing command execution, session initiation, and other required operations.




            DSPM


            DSPM for RDS and Aurora


            Required Permissions and Setup Guide


            Objective:


            To ensure that our Data Security Posture Management (DSPM) solution effectively manages and secures Amazon RDS and Aurora databases, it is necessary to configure specific AWS Identity and Access Management (IAM) permissions. These permissions allow the DSPM tool to interact with RDS and Aurora resources, enabling monitoring, backups, and security configurations.


            1. Required IAM Permissions


            The following AWS IAM permissions are necessary for the DSPM solution to perform its tasks on Amazon RDS and Aurora databases:


            RDS Permissions:


            • rds:DescribeDBInstances

              • Allows retrieving information about the RDS instances.
                This permission enables the DSPM tool to gather details about the RDS instances, including configuration, status, and performance metrics.


            • rds:CreateDBSnapshot

              • Allows creating a snapshot of an RDS instance.
                This permission is used to create a point-in-time backup of your RDS instance, ensuring that data can be recovered if needed.


            • rds:CreateDBClusterSnapshot

              • Allows creating a snapshot of an Aurora DB cluster.
                Similar to the RDS snapshot, this permission creates backups for Aurora DB clusters, enabling point-in-time recovery.


            • rds:DeleteDBSnapshot

              • Allows deleting an existing RDS snapshot.
                This permission is used to manage and delete obsolete or unnecessary snapshots, helping to control storage costs and maintain a clean environment.


            • rds:DeleteDBClusterSnapshot

              • Allows deleting an existing Aurora DB cluster snapshot.
                Similar to RDS snapshots, this permission allows for the removal of old or unnecessary Aurora cluster snapshots.


            • rds:DescribeDBSnapshots

              • Allows listing all snapshots for RDS instances.
                This permission enables the DSPM tool to view and manage the snapshots associated with RDS instances.


            • rds:DescribeDBClusterSnapshots

              • Allows listing all snapshots for Aurora DB clusters.
                This permission provides visibility into the snapshots of Aurora clusters, allowing for efficient management.


            • rds:RestoreDBInstanceFromDBSnapshot

              • Allows restoring an RDS instance from a snapshot.
                This permission is crucial for disaster recovery, enabling the restoration of an RDS instance to a previous state using a snapshot.


            • rds:RestoreDBClusterFromSnapshot

              • Allows restoring an Aurora DB cluster from a snapshot.
                Similar to RDS instance restoration, this permission is used to recover an Aurora cluster from a previous snapshot.


            • rds:ModifyDBInstance

              • Allows modifying an existing RDS instance.
                This permission enables the DSPM tool to make changes to the configuration of RDS instances, such as adjusting instance types, storage, and other settings.


            • rds:ModifyDBCluster

              • Allows modifying an existing Aurora DB cluster.
                This permission is used to change the configuration of Aurora clusters, including instance types, scaling options, and more.


            • rds:DeleteDBInstance

              • Allows deleting an RDS instance.
                This permission is used for the removal of RDS instances that are no longer needed, ensuring efficient resource management.


            • rds:DeleteDBCluster

              • Allows deleting an Aurora DB cluster.
                This permission is necessary for decommissioning Aurora clusters that are no longer required.


            • rds:DescribeDBClusters

              • Allows retrieving information about Aurora DB clusters.
                This permission provides the DSPM tool with details about Aurora clusters, including their configuration, status, and performance.


            EC2 Permissions:


            • ec2:CreateSecurityGroup

              • Allows creating a new security group in EC2.
                This permission is used to set up security groups that control inbound and outbound traffic to your RDS instances and Aurora clusters.


            • ec2:DescribeSecurityGroups

              • Allows listing existing security groups in EC2.
                This permission provides visibility into the security groups available, ensuring that the appropriate groups are associated with your databases.


            • ec2:DeleteSecurityGroup

              • Allows deleting an existing security group in EC2.
                This permission is used to remove security groups that are no longer needed, helping to maintain a secure and organized environment.


            • ec2:AuthorizeSecurityGroupIngress

              • Allows authorizing inbound rules for a security group.
                This permission is crucial for configuring the security groups to allow or restrict traffic to your RDS instances and Aurora clusters based on IP addresses, protocols, and ports.


            2. Implementation


            Step 1: Assign the IAM Role:


            Ensure that the IAM role associated with the DSPM solution has the above-listed permissions. This role should be attached to the DSPM tool or service that manages your RDS and Aurora resources.


            Step 2: Security Group Configuration:


            The DSPM tool will use the EC2-related permissions to create, describe, and manage security groups associated with your RDS and Aurora instances. Ensure that the security groups are correctly configured to protect your databases from unauthorized access while allowing necessary traffic.


            Step 3: Snapshot Management:


            The DSPM tool will use the RDS-related permissions to create, describe, and delete snapshots for both RDS and Aurora databases. Ensure that snapshot management policies align with your organization’s backup and retention strategies.


            Step 4: Monitoring and Auditing:


            Regularly monitor and audit the activities performed by the DSPM tool using AWS CloudTrail. This ensures that the actions taken by the tool are in line with your security and compliance requirements.



            DSPM for DynamoDB


            Required Permissions and Setup Guide


            Objective:


            To ensure that our Data Security Posture Management (DSPM) solution can effectively manage and secure Amazon DynamoDB tables, it is essential to configure specific AWS Identity and Access Management (IAM) permissions. These permissions will allow the DSPM tool to interact with DynamoDB resources, enabling monitoring, backup management, and security configurations.


            1. Required IAM Permissions


            The following AWS IAM permissions are necessary for the DSPM solution to perform its tasks on Amazon DynamoDB tables:


            DynamoDB Permissions:


            • dynamodb:ListTables

              • Allows listing all DynamoDB tables in your AWS account.
                This permission is used to identify and enumerate all DynamoDB tables that need to be monitored and managed by the DSPM tool.


            • dynamodb:Scan

              • Allows scanning the contents of a DynamoDB table.
                This permission enables the DSPM tool to perform a full scan of a DynamoDB table to retrieve data for analysis, ensuring data integrity and security.


            • dynamodb:CreateBackup

              • Allows creating a backup of a DynamoDB table.
                This permission is used to create point-in-time backups of your DynamoDB tables, ensuring that your data can be recovered in case of data loss or corruption.


            • dynamodb:DescribeBackup

              • Allows retrieving information about a specific DynamoDB backup.
                This permission enables the DSPM tool to view details about existing backups, such as the backup status, size, and creation time.


            • dynamodb:RestoreTableFromBackup

              • Allows restoring a DynamoDB table from a backup.
                This permission is crucial for disaster recovery, allowing you to restore a table to its previous state using a backup.


            • dynamodb:DeleteTable

              • Allows deleting a DynamoDB table.
                This permission is used for the removal of DynamoDB tables that are no longer needed, ensuring efficient resource management and cost control.


            • dynamodb:DeleteBackup

              • Allows deleting an existing DynamoDB backup.
                This permission helps manage storage costs by allowing the DSPM tool to delete old or unnecessary backups.


            • dynamodb:DescribeTable

              • Allows retrieving information about a specific DynamoDB table.
                This permission provides the DSPM tool with details about the structure, configuration, and status of DynamoDB tables, enabling effective monitoring and management.


            • dynamodb:UpdateTable

              • Allows modifying the settings of a DynamoDB table.
                This permission enables the DSPM tool to adjust table configurations, such as changing throughput capacity or enabling encryption, to maintain optimal security and performance.


            • dynamodb:ListBackups

              • Allows listing all backups for a specific DynamoDB table.
                This permission provides visibility into the available backups for each table, ensuring that appropriate backup strategies are in place.


            2. Implementation


            Step 1: Assign the IAM Role:


            Ensure that the IAM role associated with the DSPM solution has the above-listed permissions. This role should be attached to the DSPM tool or service responsible for managing your DynamoDB resources.


            Step 2: Backup Management:


            The DSPM tool will use the DynamoDB-related permissions to create, describe, and delete backups. Ensure that the backup management policies align with your organization’s data protection and retention strategies.


            Step 3: Monitoring and Auditing:


            Regularly monitor and audit the activities performed by the DSPM tool using AWS CloudTrail. This ensures that the actions taken by the tool are in line with your security and compliance requirements.


            Step 4: Table Management:


            The DSPM tool will utilize permissions like dynamodb:UpdateTable and dynamodb:DeleteTable to modify and manage the lifecycle of your DynamoDB tables. Ensure that these operations are consistent with your organization’s best practices for data management.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0