AWS RDS MySQL
Discovering granular MySQL permissions with Veza
When connecting an AWS account to Veza, the recommended IAM policy includes permissions to discover RDS instances and clusters. To gather additional metadata, Veza will need to be able to execute database commands as a local user, as described in this document.
RDS MySQL databases are discovered by Veza via role assumption to a local MySQL user, granted the necessary read-only permissions. Veza creates authorization entities for:
RDS MySQL Database
RDS MySQL Instance
RDS MySQL Local User
RDS MySQL Local User Instance
RDS MySQL Role
RDS MySQL Role Instance
RDS MySQL Service
RDS MySQL Table
By default, extraction excludes the buil-in MySQL tables sys
, performance_schema
, information_schema
, and mysql
. These system-created tables are potentially of interest as they can contain sensitive data, and are discoverable on an optional basis. Enable Gather System Tables in the parent AWS integration configuration to show these Table entities and permissions in Veza.
Prerequisites
You will need admin access and privileges to create a local user, which will be used to connect at runtime
An Insight Point is recommended for RDS MySQL discovery.
The Insight Point egress IP needs to be permitted in the RDS security group inbound rules.
Using an Insight Point is recommended when connecting to production environments. For testing purposes, you can use the internal Insight Point, assuming that firewall rules allow communication with Veza.
The MySQL User employed by Veza for extraction uses the
AWSAuthenticationPlugin
authentication method. RDS MySQL instances must be IAM DB Authentication-enabled.
Support for Amazon Aurora
RDS MySQL databases managed by Amazon Aurora are automatically discovered when RDS extraction is enabled for a configured AWS account.
Connected instances are mapped to the top-level Aurora RDS cluster in Authorization Graph search.
Since all instances in an Aurora cluster are replicas of the same MySQL database, each has the same database-level properties.
1. Configure the IAM Policy
Ensure that the IAM policy configured during AWS setup includes the <db_user>
name of the MySQL user, and is the same as the RDS MySQL DB User name specified in AWS integration configuration. Below is a minimal policy allowing the required actions for discovery.
To discover individual RDS instances across multiple regions, you will need to create additional Resource
entries in the Veza IAM policy for each region, for example:
"Resource": "arn:aws:rds-db:us-east-1:123456789:dbuser:*/veza_user"
"Resource": "arn:aws:rds-db:us-west-1:123456789:dbuser:*/veza_user"
Alternatively, you can use wildcard operator (*
) to match all regions, accounts, and databases:
"Resource": "arn:aws:rds-db:*:*:dbuser:*/veza_user"
2. Create the local user
Connect to your database, and execute the following command to create a Veza User and grant the needed privileges for discovery. Replace [veza_user]
with the name of the actual database user specified in your policy:
The next time Veza connects to the configured AWS account, the RDS MySQL server will be registered and appear under "Discovered Data Sources" on the Administration > Configuration > Apps and Data Sources tab.
Last updated