RDS

Requirements

Name
Description

Teleskope Role

Attach RDS read and/or write permissions to the Teleskope IAM role you created

Username and password

Create a read and/or write database user for each RDS cluster you'd like us to scan

SSH Tunnel (Optional)

If your RDS instances are in a private subnet and you don't want to enable VPC peering, create a bastion host for us to use to access your RDS instances.

Grant Teleskope Read IAM Access to RDS

Teleskope needs read access to automatically discover all of your RDS clusters and instances.

Attach the AmazonRDSReadOnlyAccess to the Teleskope role you created.

Terraform

resource "aws_iam_role_policy_attachment" "rds_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
}

Grant Teleskope Read and Write IAM Access to RDS

Teleskope needs write access take enforce remediation policies such as tagging, deletion, etc.

Attach the AmazonRDSFullAccess to the Teleskope role you created.

Terraform

resource "aws_iam_role_policy_attachment" "rds_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRDSFullAccess"
}

Teleskope Database User

For each RDS cluster you would like to scan using Teleskope, you will need to create an IAM database user, or create/provide credentials for a database user, and grant that user permissions.

Create Teleskope User

Create IAM Database User

MySQL or MariaDB

CREATE USER teleskope_ro IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Postgres

CREATE USER teleskope_ro; 
GRANT rds_iam TO teleskope_ro;

Enable IAM Auth in your TeleskopeRole

  1. Provide the Teleskope IAM role with the following permission for your database

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds-db:connect"
      ],
      "Resource": [
        "arn:aws:rds-db:{REGION}:{ACCOUNT_ID}:dbuser:{DB_RESOURCE_ID}/{DB_USER}"
      ]
    }
  ]
}

2. Enable IAM database authentication for the RDS Cluster

Create Database User (Without IAM Authentication)

MySQL or MariaDB

CREATE USER teleskope_ro IDENTIFIED BY '****PASSWORD****'

Postgres

CREATE USER teleskope_ro WITH PASSWORD  '****PASSWORD****'

Grant Read Access to Teleskope user

MySQL or MariaDB

GRANT SHOW DATABASES, SELECT ON *.* TO teleskope_ro

Postgres versions 14+

GRANT pg_read_all_data TO teleskope_ro

Postgres versions < 14

SELECT format('GRANT CONNECT ON DATABASE %I TO teleskope_ro;', datname) FROM pg_database \gexec
SELECT format('GRANT USAGE ON SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec
SELECT format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec

Grant Write Access to Teleskope user

MySQL or MariaDB

GRANT UPDATE, DELETE on *.* TO teleskope_ro

Postgres versions 14+

GRANT pg_write_all_data TO teleskope_ro

Postgres versions < 14

SELECT format('GRANT UPDATE, DELETE ON ALL TABLES IN SCHEMA %I TO teleskope_ro;', nspname) FROM pg_namespace \gexec

SSH Tunnel (Optional)

  1. Launch an EC2 instance in a public subnet to serve as the SHH tunnel Bastion Host.

    1. The public key for the key-pair parameter will be provided by Teleskope: teleskope-bastion-key.

    2. Place the public key in ~/.ssh/authorized_keys . 

      echo "<TELESKOPE_PUBLIC_KEY>" >> ~/.ssh/authorized_keys

    3. Update the permissions on the file and directory. 

      chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

    4. Designate Teleskope AWS account access within your security group(s). IP addresses will be provided by Teleskope.

    5. Assign an Elastic IP (EIP) to the bastion host.

  2. Adjust route tables and security groups as needed to provide access to the RDS instance through the bastion host.

  3. Provide Teleskope with the bastion username, and the bastion elastic IP.

PreviousAthenaNextDynamoDB

Last updated

Was this helpful?