Powered by Zoomin Software. For more details please contactZoomin

Database Activity Monitoring User Guide

Source Type
Application Security
Data Security
Network Security
Application Performance
Product Versions
Hypervisor Installation
Document Type
Public Cloud
    Community Content Type
      Product Area
      This guide

      Configuring AWS for cross-account support

      Table of Contents

      Configuring AWS for cross-account support

       Configuring AWS for cross-account support

      In AWS, you must separately configure both the database (RDS) in its account, and the Imperva Gateway (EC2 instance) in its separate account.

      To configure your AWS EC2 account (DAM Gateway and MX) for cross -account support:

      1. Configure a policy:
        1. In your AWS EC2 account, configure an existing policy or create a new one. Under IAM > Policies, select the policy.
        2. Under the Permissions tab, verify that the text below appears. If it does not, edit the text so that it appears exactly as follows:

          {

          "Version": "2012-10-17",

          "Statement": [

          {

          "Sid": "VisualEditor0",

          "Effect": "Allow",

          "Action": "sts:AssumeRole",

          "Resource": "arn:aws:iam::<<rdsAccount>>:role/<<rdsAccount-Role>>"

          }

          ]

          }

          Where <<rdsAccount>> and <<rdsAccount-Role>> are replaced by the values pertaining to your RDS account.

        3. Save the changes in the normal way.
      2. Create a new role:
        1. Under IAM > Roles, click Create role.
        2. Click AWS Service.
        3. Under Use case, click EC2.

          AWS_x-account_EC2_CreateeRole

        4. Click Next.
        5. In the Add permissions window, check the box next to the policy you configured in step 1.
        6. Click Next.
        7. Type a Role name of your choice.
        8. Click Create role.

        {

        "Version": "2012-10-17",

        "Statement": [

        {

        "Effect": "Allow",

        "Principal": {

        "Service": "ec2.amazonaws.com"

        },

        "Action": "sts:AssumeRole"

        }

        ]

        }

      To configure your AWS RDS account (database) for cross-account support:

      1. Configure a policy:
        1. In your AWS RDS account, configure an existing policy or create a new one. Under IAM > Policies, select the policy.
        2. Under the permissions tab, verify that the text below appears. If it does not, edit the text so that it appears exactly as follows:

          {

          "Version": "2012-10-17",

          "Statement": [

          {

          "Effect": "Allow",

          "Action": [

          "rds:DescribeDBLogFiles",

          "rds:DescribeDBInstances",

          "rds:DownloadCompleteDBLogFile"

          ],

          "Resource": "*"

          }

          ]

          }

        3. Save the changes in the normal way.
      2. Create a new role:
        1. Under IAM > Roles, click Create role.
        2. Click Custom Trust Policy.
        3. Under Custom trust policy, edit the text so that the line Principal relates to the <gwAccount> and the <gwAccount-Role> that resulted from the Gateway account configuration in Step 2 above.

          AWS_x-account_CustomTrustPolicy

        4. Click Next.
        5. In the Add permissions window, check the box next to the policy you configured in step 1.
        6. Click Next.
        7. Type a Role name of your choice.
        8. Click Create role.

          {

          "Version": "2012-10-17",

          "Statement": [

          {

          "Effect": "Allow",

          "Principal": {

          "AWS": "arn:aws:iam::<<gwAccount>>:role/<<gwAccount-Role>>"

          },

          "Action": "sts:AssumeRole"

          }

          ]

          }

      To configure your EC2 instances for the DAM Gateway and MX:

      1. After creating the EC2 instances in the normal way (For more information, see Deploying SecureSphere Servers on AWS), connect the Gateway to the role you created for the EC2 account in the first procedure above.
      2. Under EC2 > Instances, select your Gateway instance.

        AWS_x-account_GW_EC2_ModifyIAMRole

      3. Click Modify IAM role.
      4. From the IAM role drop down list, select your Gateway role.

        AWS_x-account_GW_EC2_UpdateIAMRole

      5. Click Update IAM role.
      Was this topic helpful?