Track an S3 or DynamoDB storage location
You can protect your S3 buckets and DynamoDB databases using Cyral. Once you've associated a Cyral sidecar with an S3 storage location or DynamoDB database, data users can connect to that location through the Cyral sidecar, and Cyral will monitor data activity there.
note
Cyral supports SSO for S3 locations but not for DynamoDB databases.
Prerequisites
- Cyral sidecar: If you don't already have a Cyral sidecar deployed for your S3 storage or DynamoDB, deploy it now.
- For S3 only: If your S3 users will connect via the Cyral S3 Browser, follow the steps in Enable the S3 File Browser.
Procedure
To track an S3 or DynamoDB location in Cyral, open the Cyral management console, navigate to the Data Repos tab and click the Add Repository button.
In the Edit repository window, choose one of the following:
For S3, set the Type to Amazon S3.
note
In terms of the scope of coverage, tracking S3 storage works differently from tracking other repository types in Cyral. For other repository types such as PostgreSQL, you associate Cyral with a particular database instance based on its address and port. For S3, once you have associated Cyral with your S3 storage, it offers coverage for the buckets of all IAM roles that you have mapped in Cyral. See Provide the IAM roles needed for accessing S3 for details.
For DynamoDB, enter:
- Type: DynamoDB
- Name: The name by which your data users will find this DynamoDB instance
- Hostname and Port: The address and port of the DynamoDB instance This is the address at which Cyral connects to the repository, and we refer to it as the data repository endpoint. Later, when you assign this repository to its sidecar, you will establish a separate user-facing address, the sidecar load balancer address. Data users connect to the repository through the sidecar load balancer address.
Click Track or Save
Associate the S3 location or DynamoDB instance with your Cyral sidecar:
- In the Cyral management console, navigate to the Sidecars tab and click the name of the sidecar to which you'd like to assign the repository.
- Click on the Bindings tab and click on the Bind Data Repo button.
- In the Bind Data Repo window, choose the name of the S3 or DynamoDB repository you created above
- Specify the Proxy port. Data users will connect tools like the AWS CLI to this repository at the sidecar hostname and this port.
- For S3 only: If you're using the Cyral S3 Browser, toggle the Enable S3 Browser switch to the ON position and specify the port where the S3 Browser will connect. The default is 443.
- Click Bind.
Next steps
Your S3 storage location or DynamoDB instance is now accessible through the Cyral sidecar. Next you should:
- For S3, create S3-style Data Map entries to specify which buckets and objects Cyral will protect.
- For DynamoDB, create Data Map entries to specify which tables Cyral will protect.
For S3:
- To add SSO for S3 users, see SSO for S3
- If S3 users will connect via the Cyral S3 Browser, enable it now
- If S3 users will connect only via other tools, they can connect now as explained in Connect to S3 from the CLI.
For DynamoDB:
- DynamoDB users can connect as shown in Connect to DynamoDB.