AWS Integration Connection Guide

Transcend can continuously discover and classify your data stores hosted on AWS, as well as the data inside each store. This guide will help you connect your Amazon Web Services account to continuously discover data stores hosted on AWS. Then we will show you how to enable Structured Discovery for each data store to discover and classify the data inside. Finally, we will show you how to configure DSR Automation for each data store.

The integration is scoped to a single AWS account. If you have multiple AWS accounts to connect, please add a data silo for each account and follow the steps below.

Authenticating the AWS integration requires a new IAM user to be created in the AWS account to be connected. One of the benefits of using an IAM user to integrate AWS is the ability to designate only the specific permissions Transcends needs and define a custom trust policy. To create a new IAM role, log in to the AWS console and navigate to Roles → Create Role. More information about IAM roles can be found in the AWS documentation.

  • You must first add the integration to your Transcend account and visit the connection form.
AWS Connection Form.
  • In the AWS IAM Console, under Select trusted entity, select AWS account as the trusted entity type. Here you will put:

    • For Multi-tenant Sombra, include 829095311197 (Transcend's Account ID).
    • For Self-hosted Sombra, include the account ID of where the self-hosted Sombra is hosted in
  • Select Require external ID and copy/paste the External ID provided on our integration connection page (see below).

    AWS Integration Connection screen showing External ID.
  • Click Next.

  • Once the role is created, you can navigate to the Trust Relationships tab of the role and the trusted entity should generally look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<transcend-or-self-hosted-sombra-account-id>:root"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "5ab4defb0bef8e2bf4b9e636c3949f3edff73c5fb2eb0f56d84a913bd38b8445"
        }
      }
    }
  ]
}
  • For self-hosted Sombra, make sure that the Sombra instance has the permission to also assume the role.
  • If you host Sombra via our Terraform Module, you may add this by updating the roles_to_assume variable.
  • Otherwise, adjust the IAM permissions attached to the Sombra instance to have sts:AssumeRole permissions on the IAM Role you created.
    • If your Sombra instance is hosted on an ECS cluster, you would also need to include the role attached to that cluster as well
  • The policy should generally look something like this:
{
  "Action": ["sts:AssumeRole"],
  "Resource": [
    "arn:aws:iam::<sombra-account-where-role-lives>:role/<name-of-role>",
    "<any other resources ...>"
  ],
  "Effect": "Allow"
}
  • Select Create Policy and select the JSON tab.

  • Transcend has created a JSON policy with the permissions needed for the integration. Copy & paste this policy from Transcend's connection form under AWS IAM Role, or manually add the following permissions: dynamodb:ListTables, rds:DescribeDBInstances, s3:ListAllMyBuckets.

    AWS Integration connection screen showing IAM Role Permissions.
    • If your organization would like to use Structured Discovery for a DynamoDB database, please also include the additional permission dynamodb:DescribeTable.
    • If your organization would like to fulfill DynamoDB DSRs through custom PartiQL queries, please also include some of the following permissions according to which PartiQL query you use. Likely, the mapping from action type to required permissions will be the following:
      • Access requests: dynamodb:PartiQLSelect
      • Erasure requests: dynamodb:PartiQLDelete
      • All other requests: dynamodb:PartiQLUpdate, and/or dynamodb:PartiQLInsert
  • In addition, if you want to control all the different AWS integrations using a single policy, then the policy should include all the required permissions from all the integrations and look like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "dynamodb:PartiQLSelect",
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "dynamodb:GetItem",
        "dynamodb:Scan",
        "dynamodb:Query",
        "rds:DescribeDBInstances",
        "redshift:DescribeClusters"
      ],
      "Resource": "*"
    }
  ]
}
  • Click Next.
  • Adding tags is not required for the integration, but it won’t interfere either if tagging roles is part of an internal business process.
  • Click Next.
  • In the next page, pick a name for your Role (e.g., "TranscendS3Role") and add a description.
  • Review the selected trusted entities and permissions, and create the role.

Finally, enter your Account ID to Transcend's connection form input named AWS Account ID.