Can an AWS RDS SQL Server Audit File be encypted with a kms key prior to upload to S3?

0

Hi - I am using an RDS SQL Server and have enabled SQL Audit so the audit files can be uploaded to s3 by following this documentation: SQL Server Audit

This mentions that the

The audit log files are automatically uploaded from the DB instance to your S3 bucket.

In my environment there is a policy in place however where uploads need to be encrypted with a kms key for uploads to s3 and at present the audit files are failing to be uploaded:

{
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
}

Is there a way to pass a kms key to the audit files before RDS automatically uploads the audit files to s3?

1 Risposta
0

I think there's no way for RDS to automatically pass KMS key ID while uploading SQL Server Audit Logs to S3 bucket. But you can do one of the following:

  • You can create a new S3 bucket and enable "Default Encryption" using AWS KMS with your custom KMS CMK. Then, update your S3 bucket policy to restrict uploads only from the IAM role for RDS SQL Server Audit.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/role_name"
            },
            "Action": "s3:PutObject",
            "Resource": "*"
        }
    ]
}
  • If you already have an S3 bucket, enable "Default Encryption" using AWS KMS with your custom KMS CMK. Then, update your S3 bucket policy to customize the "Resource" attribute to all key prefixes except the one used to upload the SQL Server Audit files.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my_bucket/all_prefixes/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/role_name"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my_bucket/rds_log_prefix/*"
        }
    ]
}

I hope that helps.

con risposta 3 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande