Deploy on AWS
Seamlessly integrate DB Audit with your AWS infrastructure. Native support for RDS, Aurora, IAM authentication, and CloudWatch for comprehensive database auditing.
AWS Integration Features
Native RDS & Aurora Integration
Direct integration with Amazon RDS and Aurora databases using IAM authentication and enhanced monitoring.
IAM Role-Based Access
Secure authentication using AWS IAM roles with fine-grained permissions and automatic credential rotation.
CloudWatch Integration
Stream audit logs to CloudWatch Logs, set up alarms, and integrate with your existing AWS monitoring stack.
Prerequisites
- AWS account with appropriate permissions
- RDS or Aurora database instance(s) to monitor
- IAM permissions to create roles and policies
- VPC with appropriate security groups configured
- AWS CLI configured locally (optional, for deployment)
AWS Configuration Reference
| Setting | Type | Required | Description |
|---|---|---|---|
| aws_region | string | Yes | AWS region where your databases are deployed (e.g., us-east-1) |
| aws_role_arn | string | Yes | ARN of the IAM role for DB Audit to assume |
| rds_instance_ids | array | Yes | List of RDS instance identifiers to monitor |
| aurora_cluster_ids | array | No | List of Aurora cluster identifiers to monitor |
| cloudwatch_log_group | string | No | CloudWatch log group for audit logs (auto-created if not exists) |
| enhanced_monitoring | boolean | No | Enable enhanced RDS monitoring metrics (default: true) |
| secrets_manager_arn | string | No | ARN of Secrets Manager secret for database credentials |
| kms_key_id | string | No | KMS key ID for encrypting audit data at rest |
Deployment Steps
Create IAM Role and Policy
Create an IAM role with the necessary permissions for DB Audit to access your RDS instances, CloudWatch, and Secrets Manager.
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:DescribeDBLogFiles",
"rds:DownloadDBLogFilePortion"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "arn:aws:logs:*:*:log-group:/dbaudit/*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:dbaudit/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.*.amazonaws.com"
}
}
}
]
}Trust Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "dbaudit-external-id"
}
}
}
]
}Configure DB Audit
Create your DB Audit configuration file with AWS-specific settings.
# /etc/dbaudit/aws-config.yaml
provider: aws
aws:
region: us-east-1
role_arn: arn:aws:iam::123456789012:role/DBauditRole
external_id: ${DBAUDIT_EXTERNAL_ID}
# RDS instances to monitor
rds:
instance_ids:
- production-postgres
- analytics-mysql
enhanced_monitoring: true
# Aurora clusters to monitor
aurora:
cluster_ids:
- prod-aurora-cluster
# CloudWatch configuration
cloudwatch:
log_group: /dbaudit/audit-logs
retention_days: 90
# Secrets Manager for credentials
secrets:
enabled: true
secret_arn: arn:aws:secretsmanager:us-east-1:123456789012:secret:dbaudit/credentials
# KMS encryption
kms:
key_id: alias/dbaudit-key
collector:
log_level: info
buffer_size: 1000
flush_interval: 10sDeploy the Collector
Choose your preferred deployment method: ECS Fargate, EC2 with Docker, or infrastructure as code.
Option A: Docker on EC2
# Deploy DB Audit collector on AWS EC2
# Pull and run the collector
docker run -d \
--name dbaudit-collector \
--restart unless-stopped \
-e DBAUDIT_API_KEY=${DBAUDIT_API_KEY} \
-e AWS_REGION=us-east-1 \
-e AWS_DEFAULT_REGION=us-east-1 \
-v ~/.aws:/root/.aws:ro \
-v /var/lib/dbaudit:/data \
dbaudit/collector:latest \
--config /etc/dbaudit/aws-config.yamlOption B: Terraform
# Terraform configuration for DB Audit on AWS
resource "aws_iam_role" "dbaudit_role" {
name = "dbaudit-collector-role"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_iam_role_policy" "dbaudit_policy" {
name = "dbaudit-collector-policy"
role = aws_iam_role.dbaudit_role.id
policy = file("dbaudit-iam-policy.json")
}
resource "aws_cloudwatch_log_group" "dbaudit" {
name = "/dbaudit/audit-logs"
retention_in_days = 90
kms_key_id = aws_kms_key.dbaudit.arn
}
resource "aws_kms_key" "dbaudit" {
description = "KMS key for DB Audit encryption"
deletion_window_in_days = 7
enable_key_rotation = true
}
resource "aws_ecs_task_definition" "dbaudit" {
family = "dbaudit-collector"
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = 512
memory = 1024
execution_role_arn = aws_iam_role.dbaudit_execution.arn
task_role_arn = aws_iam_role.dbaudit_role.arn
container_definitions = jsonencode([
{
name = "dbaudit-collector"
image = "dbaudit/collector:latest"
environment = [
{ name = "DBAUDIT_API_KEY", value = var.dbaudit_api_key },
{ name = "AWS_REGION", value = var.aws_region }
]
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = aws_cloudwatch_log_group.dbaudit.name
awslogs-region = var.aws_region
awslogs-stream-prefix = "collector"
}
}
}
])
}Option C: CloudFormation
AWSTemplateFormatVersion: '2010-09-09'
Description: DB Audit Collector Stack
Parameters:
DBauditApiKey:
Type: String
NoEcho: true
Description: Your DB Audit API key
VpcId:
Type: AWS::EC2::VPC::Id
Description: VPC to deploy into
SubnetIds:
Type: List<AWS::EC2::Subnet::Id>
Description: Subnets for the collector
Resources:
DBauditRole:
Type: AWS::IAM::Role
Properties:
RoleName: dbaudit-collector-role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Ref DBauditPolicy
DBauditPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- rds:DescribeDBInstances
- rds:DescribeDBClusters
- rds:DescribeDBLogFiles
- rds:DownloadDBLogFilePortion
Resource: '*'
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/dbaudit/*'
DBauditLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /dbaudit/audit-logs
RetentionInDays: 90
DBauditCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: dbaudit-cluster
DBauditService:
Type: AWS::ECS::Service
Properties:
Cluster: !Ref DBauditCluster
TaskDefinition: !Ref DBauditTaskDefinition
DesiredCount: 1
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
Subnets: !Ref SubnetIds
SecurityGroups:
- !Ref DBauditSecurityGroup
Outputs:
ClusterArn:
Value: !GetAtt DBauditCluster.Arn
LogGroupName:
Value: !Ref DBauditLogGroupVerify Deployment
Confirm your collector is running and connected to your AWS resources.
Architecture Overview
AWS Deployment Architecture
Security Best Practices
Use IAM Roles Instead of Access Keys
Never hardcode AWS access keys. Use IAM roles for EC2, ECS, or Lambda to automatically rotate credentials.
Enable VPC Endpoints
Create VPC endpoints for RDS and Secrets Manager to keep traffic within AWS network and improve security.
Encrypt Data with KMS
Use AWS KMS to encrypt audit logs at rest. Enable automatic key rotation for enhanced security.
Restrict Security Groups
Only allow the DB Audit collector to access database ports. Block all other inbound traffic.
Enable CloudTrail
Log all AWS API calls for the DB Audit IAM role to maintain an audit trail of collector activities.
Use Secrets Manager
Store database credentials in AWS Secrets Manager with automatic rotation enabled.
Troubleshooting
Collector cannot assume IAM role
Verify the trust policy includes the correct principal (EC2, ECS, or cross-account). Check that the external ID matches if using cross-account access.
Cannot connect to RDS instance
Ensure the security group allows inbound connections from the collector. Verify the VPC routing and that the RDS instance is accessible from the collector subnet.
CloudWatch logs not appearing
Check the IAM policy includes logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents permissions for the correct log group ARN.
Secrets Manager access denied
Verify the IAM policy includes secretsmanager:GetSecretValue for the specific secret ARN. Check KMS key permissions if the secret is encrypted.
High latency in audit events
Consider deploying the collector in the same region and VPC as your databases. Enable enhanced monitoring for RDS instances.
Ready to Deploy on AWS?
Get started with DB Audit on AWS in minutes. Our team can help you design the optimal architecture for your environment.