Skip to content
This repository has been archived by the owner on May 13, 2021. It is now read-only.

forward3d/garrison-agent-aws-rds

BranchesTags

Repository files navigation

Garrison Agent - AWS RDS

This is a part of the Garrison security project. This agent provides various AWS RDS compliance checks.

Checks Provided

Function Name Description
check_backup_retention Alerts if the backup retention is less than the configured threshold.
check_encryption Alerts if encryption is not enabled for an RDS instance.
check_engine_version Alerts if the engine version is not the latest available. (Aurora not supported)
check_multi_az Alerts if the database is not setup for multi az support. (Aurora, aurora-mysql, and aurora-postgresql not supported)

Installation & Example

Docker Hub - https://hub.docker.com/r/forward3d/garrison-agent-aws-rds/

docker pull forward3d/garrison-agent-aws-rds
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" forward3d/garrison-agent-aws-rds check_encryption
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" -e "GARRISON_AWS_REGIONS=eu-west-1,us-west-2" forward3d/garrison-agent-aws-rds check_backup_retention

Agent Specific Configuration

These are additional specific configuration options for this agent. Global agent configurations still apply.

Environmental Variable Default Expects
GARRISON_AWS_REGIONS all [1] Comma Separated Strings eg. eu-west-1,us-west-2
GARRISON_RDS_ENGINES all Comma Separated Strings eg. mysql,postgres
  1. AWS Regions as returned by the AWS SDK at runtime for RDS.

AWS Authentication

As this requires access to the AWS API you will need this IAM policy as a minimum for it to operate correctly.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
              "rds:DescribeDBInstances"
              "rds:DescribeDBEngineVersions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

We recommend using EC2/ECS Task roles so that you don't need to send credentials into the container, however if you can't use those or want to send in specific Access Keys and Secret keys, please see the AWS Documentation as to how you do that.

Cross-Account Authentication (STS AssumeRole)

If you run Garrison agents in one account, and want to reach into other AWS accounts you need to send in extra environmental variables to support that.

Environmental Variable Value
AWS_ACCOUNT_ID Not used as part of authentication, but to override the tag set on any alerts
AWS_ASSUME_ROLE_CREDENTIALS_ARN Arn of the role (in the other account) you wish to assume

Check Specific Configuration

Some checks provided by this agent have extra configuration options.

check_backup_retention

Environmental Variable Default
GARRISON_RDS_THRESHOLD 7

check_multi_az

Databases tagged with multi_az = false will be excluded from the checks, e.g.: tags [ { "Key": "multi_az", "Value": "false" } ]

About

Garrison Agent that provides AWS RDS compliance checks

github.com/forward3d/garrison

Topics

compliance aws-rds garrison garrison-agent

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

10 watching

Forks

1 fork
Report repository

Releases 1

v1.0.4 Latest
Mar 10, 2021

Packages

No packages published

Contributors 7

Languages