Route all data access through the sidecar
Once your data repository is protected and monitored by Cyral, you must ensure that all users and applications connect to the repository through Cyral. In this section, we'll show you how to do this using popular network security tools.
Configure AWS security group rules to route data access through Cyral
This section shows how to use security groups in Amazon Web Services (AWS) to ensure traffic to and from your data repositories travels only through the Cyral-secured path. With the right security group rules in place, users and services no longer directly access your data repositories in AWS. Instead they only interact via Cyral.
For the rest of this document, we will use RDS as an example of the cloud data endpoint that needs to be secured. The process of securing other data endpoints is similar.
We consider the two different ways in which applications may be communicating with the RDS instance.
If applications connect using CNAME
invoices.hhiu.cyral.com is a CNAME for the RDS endpoint,
and apps use the
invoices.hhiu.cyral.com URL to get to the actual
RDS instance. You can find the mapping of CNAMEs to actual endpoints
in your Amazon Route 53 instance.
Using Route 53, change the CNAME to map to the Cyral sidecar. This forces all application traffic to go through the Cyral sidecar.
If applications connect using RDS URL
During a maintenance window, rename the RDS URL to a private one known only to you and your Cyral installation.
You can do this by choosing your database from the RDS console and modifying the RDS instance identifier. A new endpoint is automatically generated. You can choose when you want the change to take effect. In this example, we've chosen to do this at the next maintenance window. Use Route53 to map the old URL to Cyral.
Configure security groups so data requests must traverse Cyral
The steps above are necessary but not sufficient to ensure that all traffic goes through the data security layer. A user with database credentials may continue to directly go to the RDS instance. To prevent this and to enforce all accesses go through Cyral we will now configure security groups.
This section will cover how to configure security groups with Cyral as follows:
- Create a security group for RDS
- Add the RDS instance to above security group
- Create a security group for Cyral
- Add an inbound rule and an outbound rule for the RDS security group that only allows traffic to and from the Cyral security group
In these steps we assume a Cyral deployment with a sidecar named
Cyral-Sidecar-RDS that is protecting
Create a security group for Cyral and one for the RDS instance. Here, our group for Cyral is called Sidecar-Security-Group and the one RDS is called RDS-Security-Group. To create a security group, open the Amazon VPC console and choose Security Groups.
Add the RDS instance to the RDS-Security-Group.
Add the Cyral sidecar to Sidecar-Security-Group.
Create an inbound rule for the RDS-Security-Group. Choose Type to be
MySQL/Aurora. (Note: Amazon Aurora (Aurora) is a fully managed relational database engine that's compatible with MySQL and PostgreSQL.) This will default the port to 3306. Add the Group ID for the Sidecar-Security-Group as the Source. Finally, add a detailed description and click on Save Rules.
This enforces that all inbound traffic to the MySQL RDS instance must enter through Cyral.
Do the same for outbound rules, thereby enforcing that all outbound traffic from the MySQL RDS instance only goes through Cyral.
We want anyone to be able to access the Cyral sidecar, and so we set an inbound rule allowing all traffic.
Your setup is complete. Now all traffic into and out of the MySQL RDS instance must go through Cyral. If a user or application tries to bypass the data security layer and connect to the RDS instance directly, the operation will error out.