01 Before you can configure a database activity stream, you must create a customer-managed KMS Customer Master Key (CMK) that will be used to encrypt the key that in turn encrypts the logged database activity. Create a new policy document (JSON format), name the file activity-stream-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own cloud environment details):
{
"Id": "aurora-activity-stream-cmk-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/AmazonRDSManager"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/AmazonRDSAdmin"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/AmazonRDSAdmin"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. activity-stream-cmk-policy.json) as value for the --policy command parameter, to create your new customer-managed Customer Master Key (CMK):
aws kms create-key
--region us-east-1
--description 'Amazon KMS CMK for Aurora Activity Stream'
--policy file://activity-stream-cmk-policy.json
--query 'KeyMetadata.Arn'
03 The command output should return the ARN of the new Customer Master Key (CMK):
"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):
aws kms create-alias
--region us-east-1
--alias-name alias/ActivityStreamCMK
--target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd
05 Run describe-db-clusters command (OSX/Linux/UNIX) with custom query filters to describe the Amazon Resource Name (ARN) of the Aurora database cluster that you want to reconfigure:
aws rds describe-db-clusters
--region us-east-1
--db-cluster-identifier cc-aurora-postgres-cluster
--query 'DBClusters[*].DBClusterArn'
06 The command output should return the requested Amazon Resource Name (ARN):
[
"arn:aws:rds:us-east-1:123456789012:cluster:cc-aurora-postgres-cluster"
]
07 Run start-activity-stream command (OSX/Linux/UNIX) to start a database activity stream that monitors the activity on the selected Amazon Aurora database cluster. The following command request example makes use of the --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your Aurora database application. If you skip adding the --apply-immediately parameter to the command request, Amazon Aurora will apply your changes during the next maintenance window:
aws rds start-activity-stream
--region us-east-1
--resource-arn arn:aws:rds:us-east-1:123456789012:cluster:cc-aurora-postgres-cluster
--mode async
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd
--apply-immediately
08 The command output should return the configuration metadata available for the enabled database activity stream. The feature will start streaming now all the database activity to a Kinesis Data Stream for monitoring and security. From Amazon Kinesis, you can monitor your Aurora database activity in real time. The activity stream's name in Kinesis includes the prefix aws-rds-das-followed by the database cluster's resource ID:
{
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd",
"KinesisStreamName": "aws-rds-das-cluster-ABCDABCDABCDABCDABCDABCD",
"Status": "starting",
"Mode": "async",
"ApplyImmediately": true
}
09 Repeat steps no. 5 – 8 to configure database activity streams for other Aurora database clusters available in the selected AWS region.
10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.