RDS
Requirements
IAM Edit Permission
To attach RDS read and/or write permissions to the Teleskope IAM role
Database Admin User
To create a read and/or write database user for each RDS cluster you'd like us to scan
Network Access
If your RDS instances are in private subnets and you do not want to peer VPCs, create a bastion host for us to use to access your RDS instances.
Grant Teleskope AWS scopes
Grant the TeleskopeRole read permission
Teleskope requires read access to automatically discover all of your RDS clusters and instances.
Attach the AmazonRDSReadOnlyAccess
permission to the TeleskopeRole identity you created.
resource "aws_iam_role_policy_attachment" "rds_policy" {
role = "TeleskopeRole"
policy_arn = "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
}
Grant the TeleskopeRole Read and Write IAM Access to RDS (Optional)
Teleskope requires write access to perform remediation actions like tagging.
Attach the AmazonRDSFullAccess
to the Teleskope role you created.
resource "aws_iam_role_policy_attachment" "rds_policy" {
role = "TeleskopeRole"
policy_arn = "arn:aws:iam::aws:policy/AmazonRDSFullAccess"
}
Create a Database User for Teleskope
For each RDS cluster you would like to scan using Teleskope, you will need to:
Create a database user for authentication with Username and Password, or IAM Auth.
Grant the user permission to read/write in the cluster
SSH Tunnel (Optional)
Launch an EC2 instance in a public subnet to serve as the SHH tunnel Bastion Host.
The public key for the key-pair parameter will be provided by Teleskope: teleskope-bastion-key.
Place the public key in
~/.ssh/authorized_keys
.echo "<TELESKOPE_PUBLIC_KEY>" >> ~/.ssh/authorized_keys
Update the permissions on the file and directory.
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
Designate Teleskope AWS account access within your security group(s). IP addresses will be provided by Teleskope.
Assign an Elastic IP (EIP) to the bastion host.
Adjust route tables and security groups as needed to provide access to the RDS instance through the bastion host.
Provide Teleskope with the bastion username, and the bastion elastic IP.
Last updated
Was this helpful?