Monitoring HAQM Aurora databases with IBM Guardium

In an ever-changing IT landscape where data resides in multiple data sources, it is crucial to have a well-defined monitoring strategy and tools to protect your data. In order to monitor traffic in a traditional database implementation, you would typically install an agent in the database server. The agent would then collect the information from the database server it is installed on and pass it to a central monitoring engine for analysis.

As fully managed database services like HAQM Relational Database Service (HAQM RDS) are widely adopted, where AWS does the undifferentiated heavy lifting for the customer, installing agents is not a desired approach. This is where IBM Guardium External S-TAP comes into play. It is a component of IBM Guardium suite of products that can intercept database traffic without having to install an agent on the database server. You can deploy the External S-TAP on Kubernetes platforms like HAQM Elastic Kubernetes Service (HAQM EKS) or Red Hat OpenShift Service on AWS (ROSA).

In this blog, we will show you how IBM Guardium External S-TAP deploys on HAQM EKS and can monitor HAQM Aurora PostgreSQL traffic.

IBM Guardium overview

HAQM Aurora PostgreSQL is a fully managed, PostgreSQL-compatible, and ACID-compliant relational database engine that combines the speed, reliability, and manageability of HAQM Aurora with the simplicity and cost-effectiveness of open-source databases. IBM Guardium provides database activity monitoring and data protection capabilities for a wide range of platforms.

IBM Guardium continuously monitors the activity within your HAQM Aurora databases in real-time. It captures and analyzes database activity including SQL statements, login attempts, and administrative actions. By providing immediate visibility into database activity, IBM Guardium enables you to promptly identify and respond to suspicious or unauthorized activities. It employs advanced analytics and machine learning techniques to detect and prevent potential security threats. It also helps safeguard sensitive data stored in HAQM Relational Database Service (HAQM RDS) by enforcing data protection policies. You can establish granular access controls and monitor privileged user activities within your HAQM RDS environment.

IBM Guardium helps organizations maintain compliance with a wide range of regulations and standards, including GDPR, HIPAA, PCI DSS, and more. It provides pre-built compliance reports and templates, as well as customizable policies and rules, to help you meet your compliance requirements.

Solution architecture

Figure 1. Monitoring HAQM Aurora with IBM Guardium S-TAP.

As shown in Figure 1 above, the IBM Guardium External S-TAP runs in an HAQM EKS cluster. It intercepts traffic between clients and the database server, and forwards a copy of the traffic to an IBM Guardium Central Manager (IBM Guardium CM) for analysis and policy application. The HAQM EKS cluster manages the External S-TAP containers and also a Network Load Balancer (NLB).

The NLB is assigned an external IP address, which becomes the new database endpoint. The IBM Guardium CM controls and monitors the entire IBM Guardium environment from a single console. It can also act as an IBM Guardium Collector. In our example architecture we have the IBM Guardium S-TAP in a separate HAQM Virtual Private Cloud (HAQM VPC) compared to the IBM Guardium CM and HAQM Aurora. You should choose the HAQM VPC architecture that best suits your organizations needs and policies.

If IBM Guardium detects a security threat or compliance violation, it can trigger an alert or notification. You can configure IBM Guardium to automatically respond to these alerts, such as by blocking the offending user or IP address, or by sending an email notification to your security team. This helps you quickly respond to potential security threats and minimize the impact on your business.

In the following sections, we will show the step by step process to deploy IBM Guardium External S-TAP on HAQM EKS and configure it to capture database traffic.

Prerequisites

This post assumes that you have the following prerequisites:

• An AWS account with permission to create required resources.
• AWS Identity and Access Management (IAM) permission to create an IAM role.
• IBM Guardium license to run on HAQM Elastic Compute Cloud (HAQM EC2).
• Deploy IBM Guardium from the AWS Marketplace:
  • Use an existing or create a new key pair from the HAQM EC2 console.
  • Follow the instructions to setup IBM Guardium from the AWS Marketplace using your key pair.
  • Take note of the IP address of your HAQM EC2 instance running IBM Guardium, you will use it on step 18 of the Implementation steps section.
• Basic knowledge of HAQM Aurora and HAQM VPC configurations.
• Docker hub credentials
• A bastion host of your choice with the following command line tools installed:
  • AWS CLI
  • eksctl
  • kubectl
  • A database client on your workstation, or the psql client on the bastion host. This will be used to issue SQL commands when validating IBM Guardium S-TAP monitoring.

Costs

You are responsible for the cost of the AWS services used when deploying IBM Guardium in your AWS account. For cost estimates, see the pricing pages for each AWS service you use.

Implementation steps

Create an Aurora PostgreSQL DB cluster

1. Create an Aurora PostgreSQL DB cluster, following the steps in Creating and connecting to an Aurora PostgreSQL DB cluster.

HAQM EKS cluster setup

For the purpose of this blog post we have created an HAQM EKS cluster with 2 t3.medium nodes, your requirements may vary.

2. Connect to your bastion host to create an HAQM EKS cluster with the eksctl command. You can also create your cluster from the HAQM EKS console.

3. Execute commands below from your bastion host, to connect to the HAQM EKS cluster:

$ aws eks update-kubeconfig --region <EKS_Cluster_AWS_Region> --name <Cluster_Name>

$ kubectl config set-context --current --namespace=kube-system

4. Retrieve the HAQM EKS cluster master url and save it in a text editor of your choice. We will use this later to configure IBM Guardium:

kubectl cluster-info

5. Create an HAQM EKS admin user:

$ kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: <service-account-name>
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: <cluster-role-binding-name>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: <cluster-role-name>
subjects:
- kind: ServiceAccount
  name: <service-account-name>
  namespace: kube-system
EOF

6. Generate a service account token and authentication token for the admin user created in the previous step. It will be used to configure the external S-TAP in IBM Guardium:

$ kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: <serice-account-name>-token
  annotations:
    kubernetes.io/service-account.name: <service-account-name>
type: kubernetes.io/service-account-token
EOF

7. Retrieve the admin user secret/authentication token to configure the external S-TAP:

$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep <admin-name> | awk '{print $1}')

8. Create a docker credential secret to pull the external S-TAP container image from the docker hub registry:

$ kubectl create secret docker-registry <secret_name> \
--docker-server=docker.io \
--docker-username=<DOCKER_USERNAME> \
--docker-password=<DOCKER_PASSWORD> \
--docker-email=<DOCKER_EMAIL>

9. IBM Guardium S-TAP uses TLS certificates for secure communication. Connect to your IBM Guardium HAQM EC2 instance, with the key pair used to install IBM Guardium to retrieve the certificate for external s-tap:

$ ssh -i <ssh_key_file> cli@<IBM Guardium_CM_ip>

10. Run the following command to retrieve the SSL certificate token to configure in IBM Guardium (figure 2):

$ show certificate external_stap

Figure 2. SSL certificate service account token.

Deploy external S-TAP from the IBM Guardium admin console

11. Log in to your IBM Guardium CM admin console. On the Menu choose Manage, then choose Activity Monitoring, then select External S-TAP Control. Select the + button present on top left corner to add a new external S-TAP.

12. Configure the HAQM EKS cluster and external S-TAP preferences in the Kubernetes tab (figure 3):

Figure 3. Configure external S-TAP in HAQM EKS.

13. Click on the Docker tab to configure the Docker Hub information to retrieve the container image (figure 4):

Figure 4. Configure external s-tap docker image and credentials.

14. Open the HAQM RDS console and click on Databases to display a list of your database instances.

15. Click on your HAQM Aurora PostgreSQL created on step 1 (figure 5).

16. On the Connectivity & security tab, copy the endpoint name and port as shown in figure 5:

Figure 5. Retrieve your HAQM Aurora PostgreSQL endpoint name and port.

17. Navigate back to the IBM Guardium console. From the Database tab, enter the information collected in the previous step to configure your database details in External S-TAP (figure 6):

Figure 6: Configure HAQM Aurora host and port for the External S-TAP.

18. In the Guardium tab (figure 7) enter the IP address of the HAQM EC2 instance running IBM Guardium as mentioned in the pre-requisites section of this blog:

Figure 7. Enter the IP address of the HAQM EC2 instances running IBM Guardium.

19. Configure the certificate details for the external s-tap secure connection (figure 8):

Figure 8: Configure SSL certificates for the external S-TAP connection.

20. Click on the Apply button to deploy the external S-TAP on HAQM EKS. You should see the external S-TAP in the IBM Guardium Console with status Green (figure 9):

Figure 9. External S-TAP status on HAQM EKS.

Validation

21. Run the below command to retrieve the External S-TAP service hostname:

$ kubectl get svc -n kube-system

22. Create a new connection from your DB client UI or the psql client in the bastion host. Use the external S-TAP service hostname and the HAQM Aurora endpoint and port, username and password (figure 10):

Figure 10. Create HAQM Aurora connection in DB client.

23. Post successful connection, generate traffic by running create or select commands (figure 11):

Figure 11. Generate SQL traffic in HAQM Aurora.

24. The external S-TAP captures the traffic and makes it visible in the IBM Guardium dashboard (figure 12):

Figure 12. IBM Guardium Dashboard showing HAQM Aurora traffic details.

This validation shows you how the IBM Guardium external S-TAP is intercepting traffic from HAQM Aurora for monitoring. You can also create policies in your IBM Guardium console to enforce security as a business requirement.

Clean up

To clean up resources, complete the following steps:

1. Terminate your IBM Guardium HAQM EC2 instance following the steps given here.
2. Delete your HAQM Aurora PostgreSQL instance following the steps given here.
3. Delete your HAQM EKS managed node group following the steps given here.
4. Delete your HAQM EKS cluster following the steps given here.

Summary

Integrating IBM Guardium with HAQM RDS provides the security, compliance, and data protection capabilities that you need for your database infrastructure. By leveraging IBM Guardium’s advanced monitoring, threat detection, and compliance reporting features, you can confidently manage your data and mitigate risks in your HAQM RDS environment. In this post, you learned how to configure External S-TAP for monitoring, data protection and also define the policies via IBM Guardium console.

Visit the AWS Marketplace to subscribed to the IBM Security solutions on AWS:

• IBM Security Guardium Software
• IBM Security Guardium Data Protection – Collector
• IBM Security Guardium Data Protection – Aggregator or CM
• IBM Security Guardium Insights SaaS
• IBM Security Verify Governance
• IBM on AWS Partner Page

Further content:

• IBM and Red Hat on AWS blogs
• IBM Security Guardium Central Manager
• Cloud database service protection HAQM AWS setup
• Steps you can take with IBM Guardium to protect your dataPolicies that can be applied to the database traffic being detected