Track an S3 or DynamoDB storage location
You can protect your S3 buckets and DynamoDB databases using Cyral. Once you've associated a Cyral sidecar with an S3 storage location or DynamoDB database, data users can connect to that location through the Cyral sidecar, and Cyral will monitor data activity there.
Cyral supports SSO for S3 locations but not for DynamoDB databases.
- Cyral sidecar: If you don't already have a Cyral sidecar deployed for your S3 storage or DynamoDB, deploy it now.
- For S3 only: If your S3 users will connect via the Cyral S3 Browser, follow the steps in Enable the S3 File Browser.
To track an S3 or DynamoDB location in Cyral, open the Cyral management console, navigate to the Data Repos tab and click the ➕ button.
In the Edit repository window, choose one of the following:
For S3, set the Type to Amazon S3.
In terms of the scope of coverage, tracking S3 storage works differently from tracking other repository types in Cyral. For other repository types such as PostgreSQL, you associate Cyral with a particular database instance based on its address and port. For S3, once you have associated Cyral with your S3 storage, it offers coverage for the buckets of all IAM roles that you have mapped in Cyral. See Provide the IAM roles needed for accessing S3 for details.
For DynamoDB, enter:
- Type: DynamoDB
- Name: The name by which your data users will find this DynamoDB instance
- Hostname and Port: The address and port of the DynamoDB instance This is the address at which Cyral connects to the repository, and we refer to it as the data repository endpoint. Later, when you assign this repository to its sidecar, you will establish a separate user-facing address, the sidecar load balancer address. Data users connect to the repository through the sidecar load balancer address.
Click Track or Save
Associate the S3 location or DynamoDB instance with your Cyral sidecar:
- In the Cyral management console, navigate to the Sidecars tab and click the name of the sidecar to which you'd like to assign the repository.
- Click the Data Repositories tab and click ➕
- In the Assign a Repository window, choose the name of the S3 or DynamoDB repository you created above
- Specify the Proxy port. Data users will connect tools like the AWS CLI to this repository at the sidecar hostname and this port.
- For S3 only: If you're using the Cyral S3 Browser, toggle the Use (port number) for S3 Browser port switch to the ON position and specify the port where the S3 Browser will connect. The default is 443.
- Click Track.
Your S3 storage location or DynamoDB instance is now accessible through the Cyral sidecar. Next you should:
- For S3, create S3-style Data Map entries to specify which buckets and objects Cyral will protect.
- For DynamoDB, create Data Map entries to specify which tables Cyral will protect.
- To add SSO for S3 users, see SSO for S3
- If S3 users will connect via the Cyral S3 Browser, enable it now
- If S3 users will connect only via other tools, they can connect now as explained in Connect to S3 from the CLI.
- DynamoDB users can connect as shown in Connect to DynamoDB.