(408) 800-2536 support@dasera.com

Welcome to Dasera's Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Onboarding AWS Infrastructure Manually

    Table of Contents

    Overview Configure AWS Access Option A: Create AWS IAM Role Option B: Configure AWS User Configure Trust Relationship Create a Dasera Infrastructure Connection

    These manual instructions for configuring the Dasera application for Amazon Web Services (AWS) remain valid but have since been replaced with our automation-based means, as described in the following articles:

     

    Overview

    Dasera supports the ability to onboard, connect to, and scanning your AWS organizations and accounts. These capabilities require programmatic access to connect to and scan the Data Stores, including configuring specific AWS users or IAM roles.

    Configure AWS Access

    Begin by configuring an AWS User or IAM Role dedicated to Dasera's use.  Which you configure depends on whether your application is Dasera-hosted or self-hosted.

    Option A: Create AWS IAM Role

    This option is recommended for Dasera-hosted tenants.

    1. Log into the AWS IAM Console
    2. Create a new IAM Role
    3. Using the on-screen wizard, configure the following values:
      1. Name: DaseraRole
      2. Permissions
        1. AmazonEC2ReadOnlyAccess: for getting regions and instance IDs
        2. AmazonEC2FullAccess: required for scanning EBS volumes
        3. AmazonElasticFileSystemFullAccess: required for scanning EFS volumes
        4. AmazonRDSReadOnlyAccess: for discovering RDS clusters
          1. Optionally, include AmazonRDSFullAccess instead of permission B above if you plan to connect with RDS and Aurora data stores via Snapshots.
        5. AmazonRedshiftReadOnlyAccess: required for discovering RedShift clusters, otherwise optional
        6. AmazonAthenaFullAccess: required for discovering Athena clusters and running scans, otherwise optional
        7. AmazonS3ReadOnlyAccess: also required for scanning Athena, otherwise optional
        8. AmazonDynamoDBReadOnlyAccess: required for scanning DynamoDB data stores. Also contains necessary permission for AWS tag ingestion.
        9. IAMReadOnlyAccess: required for Privilege Analysis on S3, otherwise optional
    4. Save your new IAM Role
    5. Make note the Role ARN value, then proceed to the next step

    Option B: Configure AWS User

    This option is recommended for self-hosted instances (e.g. installed via AMI installation).

    1. Log into the AWS IAM Console
    2. Click on "Users" in the left navigation under Access Management
    3. Click on the blue "Add users" button on the top right of the screen
    4. Enter a User name of your choice (e.g. Dasera_IAM)
    5. Check the "Programmatic access" check box in the Access type section.
    6. Click on the blue “Next: Permissions” button on the bottom of the page.
    7. Set permissions for this user by attaching policies that give Dasera access to the following resources
      1. AmazonEC2ReadOnlyAccess: for getting regions and instance IDs
      2. AmazonEC2FullAccess: required for scanning EBS volumes
      3. AmazonElasticFileSystemFullAccess: required for scanning EFS volumes
      4. AmazonRDSReadOnlyAccess: for discovering RDS clusters
        1. Optionally, include AmazonRDSFullAccess instead of permission B above if you plan to connect with RDS and Aurora data stores via Snapshots.
      5. AmazonRedshiftReadOnlyAccess: required for discovering RedShift clusters, otherwise optional
      6. AmazonAthenaFullAccess: required for discovering Athena clusters and running scans, otherwise optional
      7. AmazonS3ReadOnlyAccess: also required for scanning Athena, otherwise optional
      8. AmazonDynamoDBReadOnlyAccess: required for scanning DynamoDB data stores. Also contains necessary permission for AWS tag ingestion.
      9. IAMReadOnlyAccess: required for Privilege Analysis on S3, otherwise optional
    8. Click the blue “Next: Tags” button on the bottom of the page.
    9. Optionally add any tags you would like to describe this Dasera user.
      1. The permission tag:GetResources is required for AWS tag ingestion.
    10. Click the blue “Next: Review” button on the bottom of the page.
    11. Review the details and then click the blue “Create user” button on the bottom of the page.
    12. Copy the Access Key ID and Secret Key, then proceed to Step 2 below.

    Configure Trust Relationship

    This step is required only if you are using an assume role-based approach for authorizing connections between Dasera and your AWS infrastructure.

     

    Follow these steps to configure a trust relationship between the "DaseraRole" IAM Role and a new IAM Role called “DaseraLaunchRole”. Otherwise, you can skip ahead to the next step.

    1. Log into the AWS IAM Console
    2. Create a new IAM Role
    3. Using the on-screen wizard, configure the following values:
      1. Name: DaseraLaunchRole
    4. Save your new IAM Role
    5. Within the role header, make note of its Role ARN value
    6. Select the "DaseraRole", then navigate to the Trusted Relationships tab
    7. Edit the Trusted Entities JSON to add an additional line under Principal which references the "DaseraLaunchRole" Role ARN value. See below for an example (be sure to edit the account number portion if you cut-and-paste)
    8. Save your changes
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
                "ARN": [arn:aws:iam::123456789012:role/DaseraLaunchRole]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
    1. Within EC2, select your Dasera instance, then navigate to Actions > Security > Modify IAM Role
    2. In the IAM Role field, select "DaseraLaunchRole"
    3. Click the Save button

    Create a Dasera Infrastructure Connection

    At this point, your configuration of AWS is complete, and Dasera can now be connected to your infrastructure.

    1. Log into your Dasera instance
    2. Navigate to Administration > Infrastructure Connections
    3. On the next screen, click the AWS tab
    4. Complete the Account Name field

    Configure an AWS IAM Role

    • Select the Using IAM Role radio button.
    • In the Role ARN field, enter the corresponding value from the Create AWS IAM Role step above.

    If your tenant is Dasera-hosted, complete these additional steps:

    • Make note of the Dasera-generated External ID value
    • Log into the AWS IAM Console.
    • Select the "DaseraRole", then navigate to the Trusted Relationships tab.
    • Edit the Trusted Entities JSON to add an additional line under Principal which references the Dasera-generated External ID value. See below for an example (be sure to edit the account number portion if you cut-and-paste).
    • Save your changes and continue the next steps within your Dasera instance.
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
                "ARN": [arn:aws:iam::123456789012:role/DaseraLaunchRole]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "abcd1234-6578-efgh-9012-ijklmnopqrst"
                }
            }            
        }
    ]
}

    Optionally, the following policy conditions should be attached if you plan to connect with RDS or Aurora data stores via Snapshots.

    {
              "Effect": "Allow",
              "Action": [
                "ec2:AttachInternetGateway",
                "ec2:ModifyVpcAttribute",
                "ec2:AuthorizeSecurityGroupIngress"
              ],
              "Resource": "*",
              "Condition": {
                "StringEquals": {
                  "ec2:ResourceTag/Vendor": "dasera"
                }
              }
            },
            {
              "Effect": "Allow",
              "Action": [
                "ec2:CreateRoute",
                "ec2:CreateVpc",
                "ec2:CreateInternetGateway",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet"
              ],
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Action": [
                "ec2:CreateTags"
              ],
              "Resource": "*",
              "Condition": {
                "StringEquals": {
                  "ec2:CreateAction": [
                    "CreateVpc",
                    "CreateInternetGateway",
                    "CreateSecurityGroup",
                    "CreateSubnet"
                  ]
                }
              }
            }

     

     
     
    1. Confirm the Auto-Discovery setting:
      1. If Auto-Discovery is enabled (example below), Dasera will start discovering and cataloging your AWS Data Stores under the Data Stores > Data Stores Inventory screen.
      2. Otherwise, you can later connect to individual Data Stores
    1. Click the ACKNOWLEDGE button.  Dasera will verify the connection and kick off the initial auto-discovery scan (if enabled).

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Support