# RDS

## Requirements

<table><thead><tr><th width="214.3515625">Name</th><th>Description</th></tr></thead><tbody><tr><td>IAM Edit Permission</td><td>To attach RDS read and/or write permissions to the Teleskope IAM role</td></tr><tr><td>Database Admin User</td><td>To create a read and/or write database user for each RDS cluster you'd like us to scan</td></tr><tr><td>Network Access</td><td>If your RDS instances are in private subnets and you do not want to peer VPCs, create a bastion host for us to use to access your RDS instances.</td></tr></tbody></table>

####

{% stepper %}
{% step %}

## Grant Teleskope AWS scopes

### Grant the TeleskopeRole read permission

Teleskope requires read access to automatically discover all of your RDS clusters and instances.

Attach the `AmazonRDSReadOnlyAccess` permission to the TeleskopeRole identity you created.

{% code title="RDS Read Only Terraform" %}

```json
resource "aws_iam_role_policy_attachment" "rds_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
}
```

{% endcode %}

### Grant the TeleskopeRole Read and Write IAM Access to RDS (Optional)

Teleskope requires write access to perform remediation actions like tagging.

Attach the `AmazonRDSFullAccess` to the Teleskope role you created.

{% code title="RDS Read/Write Terraform" %}

```
resource "aws_iam_role_policy_attachment" "rds_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRDSFullAccess"
}
```

{% endcode %}
{% endstep %}

{% step %}

### Create a Database User for Teleskope

For each RDS cluster you would like to scan using Teleskope, you will need to:

1. Create a database user for authentication with [Username and Password](https://docs.teleskope.ai/connectors/aws/rds/username-and-password), or [IAM Auth](https://docs.teleskope.ai/connectors/aws/rds/iam-auth).
2. Grant the user permission to read/write in the cluster&#x20;
   {% endstep %}

{% step %}

### Enroll the Cluster in the Teleskope UI

{% endstep %}
{% endstepper %}

## SSH Tunnel (Optional)

1. Launch an EC2 instance in a public subnet to serve as the SHH tunnel Bastion Host.
   1. The public key for the key-pair parameter will be provided by Teleskope: teleskope-bastion-key.
   2. Place the public key in `~/.ssh/authorized_keys` .<br>

      ```bash
      echo "<TELESKOPE_PUBLIC_KEY>" >> ~/.ssh/authorized_keys
      ```
   3. Update the permissions on the file and directory.<br>

      ```bash
      chmod 700 ~/.ssh
      chmod 600 ~/.ssh/authorized_keys
      ```
   4. Designate Teleskope AWS account access within your security group(s). IP addresses will be provided by Teleskope.
   5. Assign an Elastic IP (EIP) to the bastion host.
2. Adjust route tables and security groups as needed to provide access to the RDS instance through the bastion host.
3. Provide Teleskope with the bastion username, and the bastion elastic IP.
Name	Description
IAM Edit Permission	To attach RDS read and/or write permissions to the Teleskope IAM role
Database Admin User	To create a read and/or write database user for each RDS cluster you'd like us to scan
Network Access	If your RDS instances are in private subnets and you do not want to peer VPCs, create a bastion host for us to use to access your RDS instances.