Monitor Amazon Aurora Database Activities Using DataSunrise Database Security

Radik Chumaren, Engineering Leader at DataSunrise

DataSunrise is a database security software company that offers a breadth of security solutions, including activity monitoring, data masking (dynamic and static masking), a database firewall, and sensitive data discovery for diversified databases. Our goal is to protect databases against external and internal threats and vulnerabilities. We often see customers choosing DataSunrise Database Security because it gives them unified control and a single user experience when protecting different kinds of database engines that run on AWS, including Amazon Aurora, Amazon Redshift, Amazon RDS for MySQL, Amazon RDS for PostgreSQL, Amazon RDS for MariaDB, Amazon RDS for Oracle Database, and Amazon RDS for Microsoft SQL Server.

DataSunrise offers both passive security, such as auditing, in addition to active data and database security. Active security is based on predefined security policies, such as preventing unauthorized access to sensitive data, blocking suspicious SQL queries, preventing SQL-injection attacks, or dynamically masking and obfuscating data in real time. DataSunrise comes with high availability, failover, and automatic scaling.

In this post, we focus on passive security, also known as auditing. We go over what DataSunrise monitors in Aurora, how it works, and how to get started. In future posts, we will cover other aspects of security, including active security, data masking, and discovery of sensitive information.

What does DataSunrise auditing monitor?
DataSunrise enables auditing of SQL queries, data flow, bindings, etc. Collected information includes the details of SQL queries plus the results of their execution. The ability to audit the results of SELECT queries is an enhancement not offered by other database activity monitoring (DAM) products. In addition, DataSunrise captures the data on user sessions, such as IP addresses, hostnames, when and which queries have been executed, what applications have been used, any database errors, and unsuccessful connection attempts. The information also includes the changes that are applied by privileged users and administrators.

The collected audit data is stored in a separate database called audit storage. DataSunrise provides different options to store audit results. It can be in an internal built-in database or an external database, such as Amazon Aurora, MySQL, Amazon Redshift, or PostgreSQL databases. The audit data can also be sent to a third-party SIEM (security information and event management) system.

How does it work?
DataSunrise operates as a proxy between users (or applications) that connect to the database and the database server. DataSunrise intercepts the traffic for deep analysis and filtering. Then it applies data auditing policies to audit and monitor activities and queries. When the database firewall is enabled and a security policy violation is detected, DataSunrise blocks the malicious SQL query and notifies administrators via SMTP or SNMP. Real-time alerts enable you to maintain continuous database security and streamline compliance.Figure 1. DataSunrise operates as a proxy

Getting started with DataSunrise
DataSunrise can be deployed on a Windows or Linux instance in Amazon EC2. You can download a fully prepared DataSunrise Amazon Machine Image (AMI) from AWS Marketplace to protect databases in Amazon RDS and EC2 instances. DataSunrise Database and Data Security is available for both Windows and Linux platforms on AWS Marketplace.

After deploying DataSunrise, you can configure security policies for databases to be secured and create Data Audit security rules. After you configure and activate the security policies, DataSunrise audits and monitors the users and applications that connect to the database through the DataSunrise proxy.

Creating a Data Audit Rule in DataSunrise
Audit rules are created using an object-based filter. DataSunrise distinguishes between database objects and performs the audit of particular operations, schemas, and tables of a target database. This way, database administrators can gather all the audit information with the needed level of accuracy.

To perform an audit in DataSunrise, it is necessary to create Data Audit Rules as part of defining security policies.

Follow these steps to create DataSunrise Audit Rules:

1. In DataSunrise, go to the Data Audit
2. Choose Rules in the left pane.A list of existing Audit Rules is displayed.
3. Choose Rule+ to create a new rule, and enter the required information:Figure 2. Creating a new Audit Rule
   In the Audit Rule section, you can specify which SQL statements DataSunrise should process, set up a schedule if required, and set up notifications for preferred subscribers.

Monitoring Data Audit results in DataSunrise
At any point in time, the authorized DataSunrise user can review audit results in Events.Figure 3. View Data Audit events

DataSunrise enables filtering of the information collected for audit, including on a database level, schema level, or column level. Filtering can be implemented according to application name, user name, hostname, and other attributes. DataSunrise allows administrators to view all the operations of a given session and generates detailed reports for administration and compliance purposes.

In Event Details, you can find information about all the queries by opening any of the listed events. You can also find out who sent a particular query and when they sent it, and view query results. You can audit the entire query results in full or just a subset. It might be beneficial to query audit results for compliance reasons.

Figure 4 shows how event details are presented in DataSunrise:Figure 4. Event details

In Session Details, you can view the information about a particular client session, such as the client host, hostname, or other session attributes.

Figure 5 shows how session details are presented in DataSunrise:Figure 5. Session details

DataSunrise uses syslog for message logging. When configured, the audit logs can be sent to an external system, such as SIEM. When integrated with SIEM, DataSunrise significantly enhances the security analytics capabilities and enables administrators to deeply analyze user behavior.

Working with Amazon Aurora features
In addition to supporting the security techniques, DataSunrise supports the SSL/TLS (Secure Sockets Layer/ Transport Layer Security) cryptographic protocols that are used in Amazon Aurora. SSL/TLS is employed to generate the session keys, encrypt the transmitted data, and check the transmitted data for integrity and for certificate-based authentication. Being placed between clients and the database, DataSunrise replaces the intermediate keys transmitted during the SSL handshake with its own keys in order to decrypt and analyze the SSL traffic.

Aurora and MySQL support network traffic compression. This capability helps balance network load when big volumes of data are being transmitted—for example, when importing and exporting tables, schemas, or the entire database. DataSunrise supports this capability.

Enterprise applications do not create a new connection to the database every time they need one. Instead, they keep a number of connections active all the time and use one of them when access to the database is requested. This technique is called connection pooling, and it is supported by Amazon Aurora and MySQL. DataSunrise supports those cases and transfers connected users to already active connections in order to make sense of the often tricky logic of enterprise applications.

Summary
DataSunrise (www.datasunrise.com) is available as a pre-configured virtual appliance on AWS Marketplace. You can use DataSunrise as a standalone DAM solution. Or, you can implement it as a broad database security solution, with DAM, data masking, data discovery, and database firewall included and running all together. DataSunrise supports various cloud databases, including Amazon Aurora, Amazon Redshift, and all other Amazon RDS databases such as MySQL, PostgreSQL, MariaDB, Oracle Database, and Microsoft SQL Server.

In our next post, we will cover other modules in DataSunrise, including DataSunrise Security (a database firewall), Data Masking, and Sensitive Data Discovery.