This section elaborates the process to perform Detection and Masking in Redshift using Secret Manager. Before moving towards the detection and masking process, you must generate Secret ARN to connect it to the AWS Redshift.
Configure AWS Secret Manager in AWS application
AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets.
The following section provides step-by-step procedure to generate Secret ARN.
The first step is to log in to the AWS application.
The second step is to select the Secrets Manager option in AWS application.
The third step is to click the Store a new secret button displaying on the top right corner of the screen.
The fourth step is to select a Secret Type from given options. To generate a secret in Key/Value form, choose the Other type of secret option.
The fifth step is to enter the Key/Value pairs for username. To add Key/Value pairs for password and connectionString, click + Add row button. These are mandatory fields.
In sixth step, by default, aws/secretsmanager is selected in the Encryption Key panel. Click Next.
The seventh step is to enter the Secret Name and Description and keep the remaining fields such as Tags, Resources Permissions, Replicate secret empty and click Next.
In eighth step, on clicking next, Configure Rotation form appear. Keep the fields empty and click Next.
This is the last step where you review the details filled and click Store.
Lastly, once the user stored the secret it will start reflecting on the Secrets Manager screen. To view the secret ARN. Click the secret name.
Copy the ARN using double square icon next to the Secret ARN.
Create a Detection connection in Redshift
The Detection Connection allows user to perform discovery in the Redshift using Secret Manager. This process helps in establishing a connection between the controller and the data source.
Following are the pre-requisites for creating a detection and masking connection in Redshift:
DgDiscover IDP and DgMasker IDP must be Installed. It will enable the Detection and Masking feature in the product. To know more on to how install the DgDiscover IDP in Linux and Windows environment, refer Install DgDiscover IDP in Linux and Install DgDiscover IDP in Windows. To know more on how to install DgMasker IDP in Linux and Windows environment, refer Install Masker IDP in Linux and Install Masker IDP in Windows.
ARN must be generated using AWS Secret Manager. To know more on how to generate Secret ARN, refer Configuration of AWS Secret Manager.
Both primary and secondary IDP must be installed on EC2 machine with attached IAM Role.
IAM Role should have the following permissions:
To access Secret Manager. Secret Manager must be on the same account as that of EC2 instance.
To access Redshift instance, the redshift instance can be on same account as well as on the cross account.
Create Detection connection in Redshift
The following section outlines the step-by-step of creating a detection connection in Redshift-AWS.
Login to the PK Protect application.
Go to RBDMS > Connection Manager > Connection. Click Add New Connection button on top of the screen.
The next step is to select the Location, Service and the Connection Details from given list. Now, fill in the details for the selected data source for which you need to create a connection. To know more about each field, refer Detection - Redshift.
Select Redshift from the side panel. If you want to authenticate the connection using AWS Secret Manager, check the AWS Secrets Manager checkbox. On opting for AWS Secret Manager, the authentication option Azure AD User with IAM Role is visible in the Authentication Option. Now, provide the Secret’s ARN.
Once AWS Secret Manager checkbox is checked, Username, Port Number, Password, Use Connection String fields will get disabled in both Masking and Detection connection.
Once connection is created, click Save button to save the details else click Cancel. Click Test button, to validate the connection.
In case, if you want to create masking connection using AWS Redshift, follow the same steps as depicted for detection.
*Note: If any issue occurs while accessing AWS SecretsManager from the EC2 instance, then following can be done:
Try to access the AWS Secrets Manager from the command line on EC2 instance using following command: aws secretsmanager get-secret-value --secret-id <secret_name>. If secret details are not fetched using this command, it means that there is some issue with the configuration.
You can also verify the same by doing the following configuration on EC2 machine:
Store the AWS credentials i.e., aws_access_key_id and aws_secret_access_key values in the configuration file.The path of configuration file for Discover and Masker IDP are:
Discover IDP: (<DgSecure_root_dir>\Agents\DgDiscoverAgent\expandedArchive\WEB- INF\classes\ config\ AWSCredentials.config )
Masker IDP: (<DgSecure_root_dir>\Agents\DgAgent\expandedArchive\WEB- INF\classes\ config\ AWSCredentials.config )
The AWS CLI can be configured on EC2 instance through which the default profile will be created with containing the AWS credentials i.e., aws_access_key_id and aws_secret_access_key.
Both the configurations are the replacement of IAM Role. If either of the configuration is done, then there is no need to attach IAM Role with EC2 instance.
If the user does not have any issue for storing the AWS credentials on local, then IDP can be installed on local instead of EC2 instance and above-mentioned configurations can be done on local for the verification purpose.
Perform Detection in Redshift
Detection process allows user to perform discovery in the Redshift. This process helps you to fetch sensitive information in Redshift.
The following section outlines the step-by-step procedure to discover sensitive information stored on Redshift.
The first step is to create a policy in the PK Protect. Policy allows to create a set of Sensitive Data Types which are presented in the buckets. You can define your policies as well. To know how to create a policy, refer Hadoop & Files Policy.
The next step in the process of performing Detection is to create a task. The Task screen enables a user to select buckets of the objects in which sensitive information is stored. To know more about each field, refer Create Task in AWS.
View Detection Results
Once the task is executed successfully, the results get generated which depict what all information in the selected objects were sensitive. A list of detailed information is displayed in the Results screen. To know more about each tab in Results screen, refer AWS Results.