AWS RDS MySQL

RDS MySQL databases are discovered by Veza via role assumption to a local MySQL user, granted the necessary read-only permissions. Veza creates authorization entities for:

• RDS MySQL Database

• RDS MySQL Instance

• RDS MySQL Local User

• RDS MySQL Local User Instance

• RDS MySQL Role

• RDS MySQL Role Instance

• RDS MySQL Service

• RDS MySQL Table

By default, extraction excludes the buil-in MySQL tables sys, performance_schema, information_schema, and mysql. These system-created tables are potentially of interest as they can contain sensitive data, and are discoverable on an optional basis. Enable Gather System Tables in the parent AWS integration configuration to show these Table entities and permissions in Veza.

Prerequisites

• You will need admin access and privileges to create a local user, which will be used to connect at runtime

• An Insight Point is recommended for RDS MySQL discovery.

  • The Insight Point egress IP needs to be permitted in the RDS security group inbound rules.

  • Using an Insight Point is recommended when connecting to production environments. For testing purposes, you can use the internal Insight Point, assuming that firewall rules allow communication with Veza.

• The MySQL User employed by Veza for extraction uses theAWSAuthenticationPlugin authentication method. RDS MySQL instances must be IAM DB Authentication-enabled.

Support for Amazon Aurora

• RDS MySQL databases managed by Amazon Aurora are automatically discovered when RDS extraction is enabled for a configured AWS account.

• Connected instances are mapped to the top-level Aurora RDS cluster in Authorization Graph search.

• Since all instances in an Aurora cluster are replicas of the same MySQL database, each has the same database-level properties.

1. Configure the IAM Policy

Ensure that the IAM policy configured during AWS setup includes the <db_user> name of the MySQL user, and is the same as the RDS MySQL DB User name specified in AWS integration configuration. Below is a minimal policy allowing the required actions for discovery.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RDS",
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:DescribeDBClusters"
      ],
      "Resource": "*"
    },
    {
      "Sid": "RdsDbConnect",
      "Effect": "Allow",
      "Action": [
        "rds-db:connect"
      ],
      "Resource": "arn:aws:rds-db:<region>:<account_id>:dbuser:<cluster-name>/<db_user>"
    },
  ]
}

To discover individual RDS instances across multiple regions, you will need to create additional Resource entries in the Veza IAM policy for each region, for example:

"Resource": "arn:aws:rds-db:us-east-1:123456789:dbuser:*/veza_user" "Resource": "arn:aws:rds-db:us-west-1:123456789:dbuser:*/veza_user"

Alternatively, you can use wildcard operator (*) to match all regions, accounts, and databases:

"Resource": "arn:aws:rds-db:*:*:dbuser:*/veza_user"

2. Create the local user

Connect to your database, and execute the following command to create a Veza User and grant the needed privileges for discovery. Replace [veza_user] with the name of the actual database user specified in your policy:

CREATE USER [veza_user] IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

GRANT REFERENCES ON *.* TO [veza_user];
GRANT SELECT ON mysql.user TO [veza_user];
GRANT SELECT ON mysql.db TO [veza_user];
GRANT SELECT ON mysql.tables_priv TO [veza_user];
GRANT SELECT ON mysql.columns_priv TO [veza_user];
GRANT SELECT ON mysql.global_grants TO [veza_user];
GRANT SELECT ON mysql.role_edges TO [veza_user]; -- Only if MySQL version is 8+

The next time Veza connects to the configured AWS account, the RDS MySQL server will be registered and appear under "Discovered Data Sources" on the Administration > Configuration > Apps and Data Sources tab.