Garrison Agent - AWS RDS
This is a part of the Garrison security project. This agent provides various AWS RDS compliance checks.
Checks Provided
Function Name | Description |
---|---|
check_backup_retention |
Alerts if the backup retention is less than the configured threshold. |
check_encryption |
Alerts if encryption is not enabled for an RDS instance. |
check_engine_version |
Alerts if the engine version is not the latest available. (Aurora not supported) |
check_multi_az |
Alerts if the database is not setup for multi az support. (Aurora, aurora-mysql, and aurora-postgresql not supported) |
Installation & Example
Docker Hub - https://hub.docker.com/r/forward3d/garrison-agent-aws-rds/
docker pull forward3d/garrison-agent-aws-rds
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" forward3d/garrison-agent-aws-rds check_encryption
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" -e "GARRISON_AWS_REGIONS=eu-west-1,us-west-2" forward3d/garrison-agent-aws-rds check_backup_retention
Agent Specific Configuration
These are additional specific configuration options for this agent. Global agent configurations still apply.
Environmental Variable | Default | Expects |
---|---|---|
GARRISON_AWS_REGIONS |
all [1] |
Comma Separated Strings eg. eu-west-1,us-west-2 |
GARRISON_RDS_ENGINES |
all |
Comma Separated Strings eg. mysql,postgres |
- AWS Regions as returned by the AWS SDK at runtime for RDS.
AWS Authentication
As this requires access to the AWS API you will need this IAM policy as a minimum for it to operate correctly.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:DescribeDBInstances"
"rds:DescribeDBEngineVersions"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
We recommend using EC2/ECS Task roles so that you don't need to send credentials into the container, however if you can't use those or want to send in specific Access Keys and Secret keys, please see the AWS Documentation as to how you do that.
STS AssumeRole
)
Cross-Account Authentication (If you run Garrison agents in one account, and want to reach into other AWS accounts you need to send in extra environmental variables to support that.
Environmental Variable | Value |
---|---|
AWS_ACCOUNT_ID |
Not used as part of authentication, but to override the tag set on any alerts |
AWS_ASSUME_ROLE_CREDENTIALS_ARN |
Arn of the role (in the other account) you wish to assume |
Check Specific Configuration
Some checks provided by this agent have extra configuration options.
check_backup_retention
Environmental Variable | Default |
---|---|
GARRISON_RDS_THRESHOLD |
7 |
check_multi_az
Databases tagged with multi_az = false
will be excluded from the checks, e.g.:
tags [
{
"Key": "multi_az",
"Value": "false"
}
]