By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can an AWS RDS SQL Server Audit File be encypted with a kms key prior to upload to S3?

0

Hi - I am using an RDS SQL Server and have enabled SQL Audit so the audit files can be uploaded to s3 by following this documentation: SQL Server Audit

This mentions that the

The audit log files are automatically uploaded from the DB instance to your S3 bucket.

In my environment there is a policy in place however where uploads need to be encrypted with a kms key for uploads to s3 and at present the audit files are failing to be uploaded:

{
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
}

Is there a way to pass a kms key to the audit files before RDS automatically uploads the audit files to s3?

Topics
DatabaseMigration & ModernizationAnalytics
Tags
Microsoft SQL ServerAmazon Relational Database Service
Language
English
Jon
asked 2 years ago737 views
1 Answer
0

I think there's no way for RDS to automatically pass KMS key ID while uploading SQL Server Audit Logs to S3 bucket. But you can do one of the following:

  • You can create a new S3 bucket and enable "Default Encryption" using AWS KMS with your custom KMS CMK. Then, update your S3 bucket policy to restrict uploads only from the IAM role for RDS SQL Server Audit.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/role_name"
            },
            "Action": "s3:PutObject",
            "Resource": "*"
        }
    ]
}
  • If you already have an S3 bucket, enable "Default Encryption" using AWS KMS with your custom KMS CMK. Then, update your S3 bucket policy to customize the "Resource" attribute to all key prefixes except the one used to upload the SQL Server Audit files.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my_bucket/all_prefixes/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/role_name"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my_bucket/rds_log_prefix/*"
        }
    ]
}

I hope that helps.

Hossam ELMansy
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content