Securing Access to AWS Aurora (PostgreSQL) Database using Vaulted Credentials

In this blog we are going to showcase how you can secure access to AWS Aurora PostgreSQL database using Vaulted Credentials with the help of CyberArk Secure Infrastructure Access- Modern Session Management.

AWS Aurora Settings

1. Capture Endpoint, User and Password from the AWS Aurora Database Configurations. This information will later be used in the SIA for securing connection:

   

   

Create Safe and onboard Account on PAM

First step for using Vaulted Credential to access AWS Aurora DB, is to Create Safe and Store Database user and Password in Vault. All the activities for this step will be performed on the Privilege Cloud tile: Configuring Platform, Creating Safe, and Account.

1. Configuring Platform: The Platform for Aurora PostgreSQL is available on CyberArk Market space. It can be downloaded and imported through Platform Management. For Demo purposes we have Duplicated the MySQL Server platform. Following are steps:

2. Navigate to Administration > Platform Management.

   

3. Expand Database Platform Category. Select MySQL Server Platform and click on “More Action” menu> Select Duplicate.

   

   4. On Resulting pop-up form enter “New Platform Name” and “New Platform Description” and click on Create.

      

      5. This will Create a duplicate platform which will we use to create Account for demo.

         

      6. Creating Safe: Navigate to Policies > Safe and click on Create Safe button.

         

      7. On Create Safe form enter name and click on Skip and Create Safe button. This will create safe, where Creator of Safe has full access. Membership and permissions can be added as per requirement. For demo purposes current safe will suffice.

         

      8. Create Account: Navigate to Accounts menu and click on Add Accounts button on Accounts View page.

         

         9. Select System Type > Database and click on Next button.

            

         10. On Assign To Platform select the platform (In this case we are selecting the Platform be duplicated above) and click on Next button.

             

         11. On Store in Safe select the safe (we are select safe created in above step) and click Next button.

             

         12. On Define Properties page enter the details. And click on Add button.

             

             Please Note: Username, Address, Password, and, Port on the form are respectively Master Username, Endpoint, Password, and, Port as per AWS database configurations.

Create Connector Pool and Deploy Connector

To Add Connector Pool and Deployment of Connector we will use Connector Management Tile

1. Add Connector Pool: Navigate to Connector Pools and click on Add Pool button.

   

2. On Add Connector Pool page add Name and Description. And click on Save and Continue button.

   

3. On next page Select Endpoint Type FQDN and enter the value. You can use Full Endpoint of database, or you can use * as suffix, to capture all the database under same AWS organization. Click on Add.

   

4. Verify your Identifiers and click on Done button.

   

5. Connector Pool is created.

   

6. Deploy Connector on AWS environment:

   Navigate to Connectors > SIA Connector > click on Add a Connector button> Select On- Premises from menu.

   

7. Select the Connector pool we added in above step and click on Next button.

   

8. Select Linux Operating System and click on Next button.

   

9. Copy the Script by clicking on Copy to Clipboard button.

   

10. Next Step is performed on you AWS virtual machine where you want to deploy the connector. Login into AWS. Search for EC2 service and Connect the instance. Paste the copied script and click enter.

    

11. After completion you will get the Installation Complete message.

    

12. Go back to Cyberark Connector Configuration Page and click on Close:

    

13. New Connector is added and status is Successful.

    

Add TLS Certificate for Target Validation

We need to download the TLS Certificate bundle according for your region. Note only base-64 PEM format is supported. For more detail on how to download certificate bundles for Amazon RDS check this resource: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesDownload

Once you have the certificate bundle, login into CyberArk and navigate to Secure Infrastructure Access (SIA) Tile.

1. Navigate to TLS Certificates; Click on Add a Certificate button. On the Add certificate form, Click on Browse button to select the downloaded certificate bundle. Add Certificate name and Certificate Description. Then click on Add button.

   

2. Verify the Certificate is successfully added.

   

   SIA configurations for Database Vaulted Access

   Before initiating Vaulted connection to AWS database, check SIA Settings as mentioned below.

   1. Navigate to Settings on SIA tile. Verify General Setting.

      

   2. Verify Authentication Settings.

      

   3. Verify Target Validation Settings.

      

   4. If any changes are made in Settings, click on Apply button.

   9. Connect to Database using Vaulted Access

   For Database connection we can use native CLI, IDE, or any developer-based application. For this demo purpose we are using PgAdmin. For connection details we are using SIA tile functions. Connection Guidance for Hostname and Username. MFA caching for generating password.

3. Get Hostname and Username

4. On SIA tile navigate to Connection Guidance. Select PostgreSQL as Database type. Enter the Target user which is AWS database user and we have already created vaulted Account in previous steps for the user. Enter Address which is FDQN for our target DB.

   

   After adding above information Copy Hostname and Username strings.

5. Navigate to MFA Caching > Generate password and Copy password.

   

6. Initiate Connection using PgAdmin: On PgAdmin initiate Register Server. On General Tab enter the Name.

   

7. On Parameters Tab, change the SSL mode to Required and Increase the Connection Timeout.

   

8. On Connection Page Enter the Hosname, Username and Password according to values copied above from SIA and click on Save.

   

9. If all information and settings are correct the connection is established.

   

10. We can Execute the few SQL queries in session to generate data, for next Audit and Session monitoring demo.

    

11. Disconnect the Server and close the Query TAB.

Audit and Session Monitoring

Audit users can go to Audit tile and monitor the queries executed in above session.

1. On Audit tile navigate to Session Monitoring. Filter and select the session. Under Commands tab are the Commands executed by user are displayed.

   

   

Conclusion

In this blog, we demonstrated how to provide secure access to AWS Aurora using the vaulted account approach with CyberArk SIA's modern session management.

In our next blog, we will explore how to further reduce risk by implementing a Zero Standing Privilege approach for AWS Aurora databases.