Documentation forSQL Sentry

AWS Security

Additional Information: See the Security Guidance topic from AWS for current best practices in securing your AWS resources.

Security Overview

For information on security of the SQL Sentry platform solution, please see the SQL Sentry Security section.

Security Questions

Are there any requirements for using root credentials for access?

  • No, this is not necessary for the SQL Sentry solution on AWS.
  • See the AWS documentation topic on The AWS Account Root User for more information.

How are all IAM policies, S3 bucket policies, and other security policies (e.g. SQS, SNS, etc.) vetted to ensure that there is no unintended exposure of sensitive data to the public?

  • We do not create any of these policies as part of our deployment.

Are there any resources that are intentionally publicly available?

  • The EC2 image is created with RDP ports open so that you may access the image.

How do I create IAM Roles and Policies that are scoped down for minimal access?

How do I authenticate with AWS using IAM user credentials or roles?

  • The VM created as part of the SQL Sentry offering can be secured using IAM like any other EC2 machine.
  • See the What is IAM? topic from AWS documentation for more information.

Are there any keys, secrets, or rotation policies used in this deployment?

How do I manage VPNs when using AWS?

How do I set my connection to trust server certificates?

How do I encrypt the network traffic between the SQL Sentry components?

How do I create EC2 security groups and VPC access control lists?

  • We do not create any of these groups or lists as part of our deployment.
  • See the Security Groups for Your VPC and Network Access Control Lists topics in AWS documentation for more information.
  • Any Amazon RDS for SQL Server instances that will be monitored must be associated with a security group that allows access from the EC2 instance running SQL Sentry. This can be completed via direct IP addresses configuration, or the full VPC that will contain the EC2 instance running the SQL Sentry. For more information see the Amazon AWS documentation regarding Security Group Considerations.

How do I perform any necessary data encryption configuration (e.g. S3 SSE, EBS encryption, LUKS, etc.)?

  • This is not necessary as we do not create any of these as part of our deployment.
  • For information on applying SQL Server data encryption methods, see the SQL Server Encryption topic at Microsoft Docs.
    • This includes guidance on choosing an encryption algorithm, Transparent Data Encryption (TDE), SQL Server database encryption keys, Always Encrypted, SQL Server certificates and asymmetric keys, and more.

How do I create any necessary risk audit mechanism (e.g. CloudTrail, S3 Access Logs)?

How do I tag resources?

What do I need to know about the purposes of IAM Roles and IAM Policies created for this solution?

  • We do not create any of these as part of the SQL Sentry solution. 
  • For more information on IAM Roles and IAM Policies in general, see the IAM Roles topic in AWS documentation.

How do I change the Monitoring Service Logon Account credentials?

  • Refer to the Monitoring Service Logon Account article for information on using the Service Configuration Utility to update the stored credentials of the SQL Sentry monitoring service.