AWS Integration Connection Guide

Transcend can continuously discover and classify your data stores hosted on AWS, as well as the data inside each store. This guide will help you connect your Amazon Web Services account to continuously discover data stores hosted on AWS. Then we will show you how to enable Structured Discovery for each data store to discover and classify the data inside. Finally, we will show you how to configure DSR Automation for each data store.

The integration is scoped to a single AWS account. If you have multiple AWS accounts to connect, consider instead using our AWS Organizations integration or add a data silo for each account and follow the steps below. To make sure the rest of AWS discovery is automated end-to-end, read our guide here on connecting multiple AWS services automatically.

Authenticating the AWS integration requires a new IAM user to be created in the AWS account to be connected. One of the benefits of using an IAM user to integrate AWS is the ability to designate only the specific permissions Transcends needs and define a custom trust policy. To create a new IAM role, log in to the AWS console and navigate to Roles → Create Role. More information about IAM roles can be found in the AWS documentation.

  • You must first add the integration to your Transcend account and visit the connection form.
AWS Connection Form.

  • In the AWS IAM Console, under Select trusted entity, select AWS account as the trusted entity type. Here you will put:

    • For Multi-tenant Sombra, include 829095311197 (Transcend's Account ID).
    • For Self-hosted Sombra, include the account ID of where the self-hosted Sombra is hosted in

  • Select Require external ID and copy/paste the External ID provided on our integration connection page (see below).

    AWS Integration Connection screen showing External ID.

  • Click Next.

  • Once the role is created, you can navigate to the Trust Relationships tab of the role and the trusted entity should generally look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<transcend-or-self-hosted-sombra-account-id>:root"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "5ab4defb0bef8e2bf4b9e636c3949f3edff73c5fb2eb0f56d84a913bd38b8445"
        }
      }
    }
  ]
}
  • For self-hosted Sombra, make sure that Sombra has the permission to also assume the role.
  • If you host Sombra via our Terraform Module, you may add this by updating the roles_to_assume variable.
  • Otherwise, adjust the IAM permissions attached to Sombra to have sts:AssumeRole permissions on the IAM Role you created.
    • If Sombra is hosted on an ECS cluster, include the role attached to that cluster as well.
  • The policy should generally look something like this:
{
  "Action": ["sts:AssumeRole"],
  "Resource": [
    "arn:aws:iam::<sombra-account-where-role-lives>:role/<name-of-role>",
    "<any other resources ...>"
  ],
  "Effect": "Allow"
}

  • Select Create Policy and select the JSON tab.

  • Transcend has created a JSON policy with the permissions needed for the integration. Copy & paste this policy from Transcend's connection form under AWS IAM Role, or manually add the following permissions: dynamodb:ListTables, rds:DescribeDBInstances, s3:ListAllMyBuckets, s3:GetBucketLocation.

    AWS Integration connection screen showing IAM Role Permissions.
    • If your organization would like to use Structured Discovery for a DynamoDB database, please also include the additional permission dynamodb:DescribeTable.
    • If your organization would like to fulfill DynamoDB DSRs through custom PartiQL queries, please also include some of the following permissions according to which PartiQL query you use. Likely, the mapping from action type to required permissions will be the following:
      • Access requests: dynamodb:PartiQLSelect
      • Erasure requests: dynamodb:PartiQLDelete
      • All other requests: dynamodb:PartiQLUpdate, and/or dynamodb:PartiQLInsert
    • If your organization would like to connect to Amazon Aurora integration with IAM role authentication, please also include the additional permission rds-db:connect to instantly connect to Aurora databases when adding suggested Aurora databases from Silo Discovery.

  • In addition, if you want to control all the different AWS integrations using a single policy, then the policy should include all the required permissions from all the integrations and look like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "dynamodb:PartiQLSelect",
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "dynamodb:GetItem",
        "dynamodb:Scan",
        "dynamodb:Query",
        "rds:DescribeDBInstances",
        "rds-db:connect",
        "redshift:GetClusterCredentialsWithIAM",
        "redshift:DescribeClusters",
        "redshift-data:ListDatabases"
      ],
      "Resource": "*"
    }
  ]
}

  • Here is a brief explanation of the IAM scopes and how Transcend uses them:

    • Required for AWS Silo Discovery to discover AWS services
      • rds:DescribeDBInstances
      • redshift:DescribeClusters
      • redshift-data:ListDatabases
      • dynamodb:ListTables
      • dynamodb:DescribeTable
      • s3:ListAllMyBuckets
      • s3:GetBucketLocation
      • s3:ListBucket
    • Required for S3 discovery plugins
      • s3:GetBucketLocation
      • s3:ListBucket
      • s3:GetObject
      • KMS:Decrypt
    • Required for DynamoDB discovery plugins
      • dynamodb:DescribeTable
      • dynamodb:Scan
    • Required for RDS & Aurora discovery plugins (if IAM authentication applies)
      • rds-db:connect
    • Required for Redshift discovery plugins
      • redshift:GetClusterCredentialsWithIAM

  • Click Next.

  • Adding tags is not required for the integration, but it won’t interfere either if tagging roles is part of an internal business process.
  • Click Next.
  • In the next page, pick a name for your Role (e.g., "TranscendS3Role") and add a description.
  • Review the selected trusted entities and permissions, and create the role.

Enter your Account ID to Transcend's connection form input named AWS Account ID.

Choose AWS regions available in your account. To scan all regions, leave this field blank.

Provide the username used across all Aurora (MySQL and PostgreSQL) instances to be passed to the recommended data silo for easier connectivity.