RDS

Requirements

Name
Description

IAM Edit Permission

To attach RDS read and/or write permissions to the Teleskope IAM role

Database Admin User

To create a read and/or write database user for each RDS cluster you'd like us to scan

Network Access

If your RDS instances are in private subnets and you do not want to peer VPCs, create a bastion host for us to use to access your RDS instances.

1

Grant Teleskope AWS scopes

Grant the TeleskopeRole read permission

Teleskope requires read access to automatically discover all of your RDS clusters and instances.

Attach the AmazonRDSReadOnlyAccess permission to the TeleskopeRole identity you created.

RDS Read Only Terraform
resource "aws_iam_role_policy_attachment" "rds_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
}

Grant the TeleskopeRole Read and Write IAM Access to RDS (Optional)

Teleskope requires write access to perform remediation actions like tagging.

Attach the AmazonRDSFullAccess to the Teleskope role you created.

RDS Read/Write Terraform
resource "aws_iam_role_policy_attachment" "rds_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRDSFullAccess"
}
2

Create a Database User for Teleskope

For each RDS cluster you would like to scan using Teleskope, you will need to:

  1. Create a database user for authentication with Username and Password, or IAM Auth.

  2. Grant the user permission to read/write in the cluster

3

Enroll the Cluster in the Teleskope UI

SSH Tunnel (Optional)

  1. Launch an EC2 instance in a public subnet to serve as the SHH tunnel Bastion Host.

    1. The public key for the key-pair parameter will be provided by Teleskope: teleskope-bastion-key.

    2. Place the public key in ~/.ssh/authorized_keys .

      echo "<TELESKOPE_PUBLIC_KEY>" >> ~/.ssh/authorized_keys
    3. Update the permissions on the file and directory.

      chmod 700 ~/.ssh
      chmod 600 ~/.ssh/authorized_keys
    4. Designate Teleskope AWS account access within your security group(s). IP addresses will be provided by Teleskope.

    5. Assign an Elastic IP (EIP) to the bastion host.

  2. Adjust route tables and security groups as needed to provide access to the RDS instance through the bastion host.

  3. Provide Teleskope with the bastion username, and the bastion elastic IP.

Last updated

Was this helpful?