Configuring Amazon RDS for SQL Server for auditing

You can deploy audit store databases on Amazon RDS instances, if desired. Centrify supports Amazon RDS for 2016 and earlier versions (not 2017).

You must host the audit management database on a traditional SQL Server, such as SQL Server Express, Standard, or Enterprise.

If you want to use an instance of Amazon RDS for SQL Server for audit store databases you need to do the following configurations:

  • After you set up your Amazon RDS for SQL Server, join the RDS SQL server to AWS Microsoft Active Directory.
  • Enable these DB Parameter Group settings on RDS SQL Server:
    • clr enabled
    • show advanced options

    You can use the AWS Management Console, API, or the AWS command line interface to enable these settings.

    For more details, see http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html.

  • Set up a one-way or two-way forest trust between the AWS Microsoft Active Directory and your on-premise Active Directory forest so that users of your on-premise Active Directory forest can access resources in the AWS Microsoft Active Directory.

Note:   Amazon RDS for SQL Server with High Availability is supported.

Amazon RDS for SQL Server required permissions

The permissions for Amazon RDS for SQL Server vary a little from the permissions for local or network instances of SQL Server. This section covers the Amazon RDS for SQL Server permission required or granted for each auditing component.

Permissions to the audit store database stored procedures service account

The stored procedures service account (in other words, the ‘execute as’ account) no longer requires the sysadmin server role permission if the audit store database is on Amazon RDS for SQL Server.

The service account requires only the db_owner database role permission and the account will be added to be member of db_owner database role by Add Audit Store Database wizard.

Note:   You do not need to grant the permissions manually. The Audit Manager console, Powershell cmdlet, or SDK grants the permissions to the service account.

Collector account permissions for audit store databases on Amazon RDS for SQL Server

The collector account requires the following server level permissions on the Amazon RDS for SQL Server:

  • 'View Any Definition' server level permission
  • 'View Server State' server level permission

The collector account requires the following database level permissions on the audit store database:

  • A member of the 'collector' database role

Note:   You do not need to grant the permissions manually. The Audit Manager console, Powershell cmdlet, SDK, or the Collector Configuration wizard grants the permissions to the collector account.

Management Database Account permissions for audit store databases on Amazon RDS for SQL Server

The management database account requires the following server level permissions on the RDS SQL server:

  • 'Alter Trace' server level permission
  • 'Alter Any Login' server level permission
  • Grant permission of 'Alter Any Login' server level permission
  • Grant permission of 'View Any Definition' server level permission
  • Grant permission of 'View Server State' server level permission

The management database account requires the following database level permissions on the audit store database:

  • A member of 'managementdb' database role

Note:   You do not need to grant the permissions manually. The Audit Manager console, Powershell cmdlet, or SDK grants the permissions to the management database account.

Permissions to create the audit store database on Amazon RDS for SQL Server

In order to create an audit store database on Amazon RDS for SQL Server, you must have the following permissions:

  • 'Create Any Database' server level permission to create the database on the server
  • 'Alter Any Login' server level permission to create the login for the management database account and the collector account
  • Alter Any Login' server level permission to grant the 'Alter Any Login' permission to the management database account
  • 'Alter Trace' server level permission to grant the 'Alter Trace' permission to the management database account
  • 'View Any Definition' server level permission to grant the 'View Any Definition' (with grant) permission to the management database account and also to grant the 'View Any Definition' permission to the collector account
  • Grant permission of 'View Server State' server level permission to grant the 'View Server State' (with grant) permission to the management database account and also to grant the 'View Server State' permission to the collector account

Permissions to upgrade the audit store database on Amazon RDS for SQL Server

The required permission to upgrade the audit store database on Amazon RDS for SQL Server is the ‘db owner’ permission on the database. No server level permissions are required