Can an AWS RDS SQL Server Audit File be encypted with a kms key prior to upload to S3?

0

Hi - I am using an RDS SQL Server and have enabled SQL Audit so the audit files can be uploaded to s3 by following this documentation: SQL Server Audit

This mentions that the

The audit log files are automatically uploaded from the DB instance to your S3 bucket.

In my environment there is a policy in place however where uploads need to be encrypted with a kms key for uploads to s3 and at present the audit files are failing to be uploaded:

{
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
}

Is there a way to pass a kms key to the audit files before RDS automatically uploads the audit files to s3?

1回答
0

I think there's no way for RDS to automatically pass KMS key ID while uploading SQL Server Audit Logs to S3 bucket. But you can do one of the following:

  • You can create a new S3 bucket and enable "Default Encryption" using AWS KMS with your custom KMS CMK. Then, update your S3 bucket policy to restrict uploads only from the IAM role for RDS SQL Server Audit.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/role_name"
            },
            "Action": "s3:PutObject",
            "Resource": "*"
        }
    ]
}
  • If you already have an S3 bucket, enable "Default Encryption" using AWS KMS with your custom KMS CMK. Then, update your S3 bucket policy to customize the "Resource" attribute to all key prefixes except the one used to upload the SQL Server Audit files.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my_bucket/all_prefixes/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/role_name"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my_bucket/rds_log_prefix/*"
        }
    ]
}

I hope that helps.

回答済み 3年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ