• Redgate Monitor
• Database Security Monitoring

Improved IAM authentication in Redgate Monitor

Every organization strives to keep their data estate secure, which means keeping up to date with security best practices. To make this easier for our customers, Redgate Monitor now supports the use of AWS Identity and Access Management (IAM) authentication, when monitoring PostgreSQL instances running on both Amazon RDS and Amazon Aurora DB clusters. This eliminates the need to store long-lived access credentials, further reducing the risk of unauthorized access to monitored PostgreSQL instances. It also allows more precise control over which users and services can access the database instances, and what actions they can perform.

In addition, Redgate Monitor can now use IAM roles to query the AWS API more securely, when retrieving ‘enhanced’ monitoring metrics from any RDS-based instance.

IAM authentication for PostgreSQL on Amazon RDS & Aurora Clusters

A particular concern for data security is the use of long-lived credentials, such as passwords and API keys, and their vulnerability to unauthorized access. Redgate Monitor always stores any credentials, such as those used by the base monitor service account to access the monitored instances, in the Monitor repository with secure encryption. Even so, if you don’t rotate these credentials regularly it can put your data at risk if a bad actor somehow gets hold of them.

Amazon Web Services (AWS) provides a solution to this problem through its IAM authentication feature for PostgreSQL RDS instances and Aurora DB clusters. For example, assuming you’re running Redgate Monitor’s base monitor service on an AWS VM, you simply enable IAM database authentication on AWS and then configure the base monitoring service to use the IAM authentication role. Monitor will then request a temporary authentication token from AWS that it can then use to login to the database instance. This eliminates the need to store and maintain any sensitive passwords or AWS API access key. Also, only those AWS services to which you’ve granted access to the role have the permission to generate credentials, which means the chance that a bad actor can access your data is greatly reduced.

The following screenshot shows how we configure Redgate Monitor to allow the base monitor service to access a PostgreSQL instance using IAM role authentication:

If you want to get started you can follow this guide on how to enable IAM authentication for PostgreSQL RDS instances & Aurora clusters.

Improved IAM support for advanced monitoring on RDS

As well as now supporting IAM database authentication for PostgreSQL monitoring, Redgate Monitor also now supports use of IAM authentication for enhanced monitoring on all RDS-based instances.

This means that Redgate Monitor can now use an IAM role to query the AWS API, when it needs to access the detailed metrics relating to disk and memory usage and OS processes, which are only available through the Enhanced Monitoring feature of Amazon RDS. Again, this eliminates the need to store and use long-lived API secret keys.

If you’d like to use an IAM role for advanced host machine monitoring, we’ve got a handy step-by-step guide to walk you through it.

Conclusions

IAM authentication can help eliminate the need to store sensitive credentials, as well as allowing for more precise control over what services can access your database instances, which ultimately reduces the risk of unauthorized access.

These new features demonstrate how Redgate Monitor can help customers keep their data estates secure and up to date with the latest best practices. If you’re using Redgate Monitor with Amazon RDS or Aurora DB clusters, we encourage you to try them out. You can find guidance on how to get started in our documentation on enabling advanced monitoring for RDS instances, and enabling IAM authentication for PostgreSQL.

Tools in this post

Redgate Monitor

Real-time SQL Server and PostgreSQL performance monitoring, with alerts and diagnostics

Find out more