Working with Amazon RDS

This section describes which actions must be taken to prepare a database of Amazon Relational Database Service (RDS) for Kaspersky Security Center, place it in an option group, create an IAM role for working with an RDS database, prepare an S3 bucket for storage, and migrate an existing database to RDS.

Amazon RDS is a web service that helps AWS users to set up, operate, and scale a relational database in the AWS cloud environment. If you want, you can use an Amazon RDS database to work with Kaspersky Security Center.

You can work with the following databases:

• Microsoft SQL Server
• SQL Express Edition
• Aurora MySQL 5.7
• Standard MySQL 5.7

Creating an Amazon RDS instance

If you want to use Amazon RDS as the DBMS, you have to create an Amazon RDS database instance. This section describes how to select SQL Express Edition; if you want to work with Aurora MySQL 5.7 or Standard MySQL 5.7, you must select one of those engines.

To create an Amazon RDS database instance:

1. Open the AWS Management Console at https://console.aws.amazon.com and sign in under your account.
2. Using the AWS interface, create a database with the following settings:
   • Engine: Microsoft SQL Server, SQL Express Edition
   • DB engine version: SQL Server 2014 12.00.5546.0v1
   • DB instance class: db.t2.medium
   • Storage type: General purpose
   • Allocated storage: minimum 50 GiB
   • Security group: the same group where the EC2 instance with Kaspersky Security Center Administration Server will be located

   Create an identifier, username and password for your RDS instance.

   You may leave default settings in all the other fields. Or, change the default settings if you want to customize your Amazon RDS instance. To get help, refer to the AWS information pages.

3. At the last step, AWS displays the results of the process. If you want to view the details of your Amazon RDS instance, click View DB instance details. If you want to proceed to the next action, start creating an option group for your Amazon RDS instance.

The creation of a new Amazon RDS instance may take up to several minutes. After the instance is created, you can use it for work with Kaspersky Security Center data.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center release date.

Creating option group for Amazon RDS instance

You need to place your Amazon RDS instance into an option group.

To create an option group for your Amazon RDS instance:

1. Make sure that you are in the AWS Management Console (https://console.aws.amazon.com) and signed in under your account.
2. In the menu line, click Services.

   The list of available services appears (see figure below).

   

   List of services in the AWS Management Console

3. In the list, click RDS.
4. In the left pane, click Option groups.
5. Click the Create group button.
6. Create an option group with the following settings, if you chose SQL Server at the stage of creating the Amazon RDS instance:
   • Engine: SQLserver-ex
   • Major engine version: 12.00

   If you chose a different SQL database at the stage of creating the Amazon RDS instance, then choose a corresponding engine.

The group is created and displayed in the list of your groups.

After creating the option group, place your Amazon RDS instance into this option group.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center release date.

Modifying the option group

The default configuration of the option group in which you placed the Amazon RDS instance is not enough for working with the Kaspersky Security Center database. You have to add options to the option group and create a new IAM role for working with the database.

To modify the option group and create a new IAM role:

1. Make sure that you are in the AWS Management Console (https://console.aws.amazon.com) and signed in under your account.
2. In the menu line, click Services.

   The list of available services appears (see figure below).

   

   List of services in AWS Management Console

3. In the list, select RDS.
4. In the left pane, click Option groups.

   The list of option groups is displayed.

5. Select the option group in which you placed your Amazon RDS instance and click the Add option button.

   The Add option window opens.

6. In the IAM role section, select the Create a new role / Yes option and enter a name for the new IAM role.

   The role is created with a default set of permissions. Later, you will have to change its permissions.

7. In the S3 bucket section, do one of the following:
   • If you haven't created an Amazon S3 bucket instance for the data backup, select the Create a new S3 bucket link and create a new S3 bucket, using the AWS interface.
   • If you already have created an Amazon S3 bucket instance for the Administration Server data backup task, select your S3 bucket from the drop-down menu.
8. Finish adding options by clicking the Add option button at the bottom of the page.

You have modified the option group and created a new IAM role for working with the RDS database.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center release date.

Modifying permissions for IAM role for Amazon RDS database instance

After you add options to the option group, you must assign required permissions to the IAM role that you created for working with the Amazon RDS database instance.

To assign required permissions to the IAM role that you created for work with the Amazon RDS database instance:

1. Make sure that you are in the AWS Management Console (https://console.aws.amazon.com) and signed in under your account.
2. In the list of services, select IAM.

   A window opens containing a list of user names and a menu that lets you work with the tool.

3. In the menu, select Roles.
4. In the list of IAM roles displayed in the workspace, select the role that you created when adding option to the option group.
5. Using the AWS interface, delete the sqlNativeBackup-<date> policy.
6. Using the AWS interface, attach the AmazonS3FullAccess policy to the role.

The IAM role is assigned the required permissions to work with Amazon RDS.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center release date.

Preparing Amazon S3 bucket for database

If you plan to use Amazon Relational Database System (Amazon RDS) database, you have to create an Amazon Simple Storage Service (Amazon S3) bucket instance where the regular Backup of the database will be stored. For information about Amazon S3 and about S3 buckets, refer to the Amazon help pages. For more information about creating an Amazon S3 instance, refer to Amazon S3 help page.

To create an Amazon S3 bucket:

1. Make sure that AWS Management Console is open and you are signed in under your account.
2. In the list of AWS services, select S3.
3. Navigate the console to create a bucket, following the instructions of the wizard.
4. Select the same region where your Administration Server is located (or will be located).
5. When the wizard finishes, make sure that the new bucket appears in the list of buckets.

A new S3 bucket is created and appears in your list of buckets. You have to specify this bucket when adding options to the option group. You will also have to specify the address of your S3 bucket to Kaspersky Security Center when the Kaspersky Security Center creates the Backup of Administration Server data task.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center release date.

Migrating the database to Amazon RDS

Expand all | Collapse all

You can migrate your Kaspersky Security Center database from an on-premises device to an Amazon S3 instance that supports Amazon RDS. To do this, you need an S3 bucket for an RDS database and an IAM user account with AmazonS3FullAccess permission for this S3 bucket.

To perform the migration of the database:

1. Make sure that you have created an RDS instance (refer to Amazon RDS reference pages for more information).
2. On your physical Administration Server (on-premises), run the Kaspersky Backup utility to back up Administration Server data.

   You must make sure that the file is named backup.zip.

3. Copy the backup.zip file to the EC2 instance on which Administration Server is installed.

   Make sure that you have enough disk space on the EC2 instance on which Administration Server is installed. In the AWS environment, you can add disk space to your instance to accommodate the process of database migration.

4. On the AWS Administration Server, start the Kaspersky Backup utility again in interactive mode.

   The Backup and Restore Wizard starts.

5. At the Select action step, select Restore Administration Server data and click Next.
6. At the Restore settings step, click the Browse button next to the Folder for storage of backup copies.
7. In the Sign In to Online Storage window that opens, fill in the following fields and then click OK:
   • S3 bucket name

     The name of your S3 bucket.

   • Backup folder

     Specify the location of the storage folder that is meant for backup.

   • Access key ID

     AWS IAM access key ID that belongs to the IAM user who has the permissions to use the S3 bucket (the AmazonS3FullAccess permission).

   • Secret key

     AWS IAM secret key that belongs to the IAM user who has the permissions to use the S3 bucket (the AmazonS3FullAccess permission).

8. Select the Migrate from local backup option. The Browse button becomes available.
9. Click the Browse button to choose the folder on the AWS Administration Server where you copied the backup.zip file.
10. Click Next and complete the procedure.

Your data will be restored to the RDS database using your S3 bucket. You can use this database for further work with Kaspersky Security Center in the AWS environment.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center release date.