From 93ed9773de1b86426d9dd172c14e693bbace9d24 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Mon, 10 Jun 2024 16:57:49 +0200 Subject: [PATCH 01/16] Added preliminary updates based on phase 1 PR --- .../release/administering_cluster/projects.mdx | 15 ++++++++------- .../getting_started/creating_a_cluster/index.mdx | 4 ++-- .../release/overview/03_security/index.mdx | 4 ++-- .../using_cluster/05a_deleting_your_cluster.mdx | 4 ++-- .../release/using_cluster/managing_replicas.mdx | 7 +++---- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/product_docs/docs/biganimal/release/administering_cluster/projects.mdx b/product_docs/docs/biganimal/release/administering_cluster/projects.mdx index 61f89f0c03c..5d6422fdf86 100644 --- a/product_docs/docs/biganimal/release/administering_cluster/projects.mdx +++ b/product_docs/docs/biganimal/release/administering_cluster/projects.mdx @@ -88,18 +88,19 @@ To delete a project that you created: 1. Go to **Settings** on the left-side navigation. 1. From the **Settings** list, select **Security**. 1. Select **Add a key**. -1. On the **Add a key** page, select: - - Select the **Provider & Region** - - Select **Next** - - Enter AWS Key Management System ARN - - Enter a friendly name for your key - - Select **Finish** +1. On the **Add a key** page, select the **Cloud Service Provider**. +1. Select the **Region** for the key. The interface only displays the regions available to the cloud account you configured. + !!! Note + GCP offers the option to configure global keys. If you require a global key, do not select any region. + !!! +1. Fill out the remaining values. Each cloud provider has a different set of options. +1. Select **Add Key** to finalize the key configuration. Now, use this TDE key to create a cluster. For more information, see [Creating a cluster](/biganimal/release/getting_started/creating_a_cluster/#security). ## Deleting a TDE key -1. From the Projects pageXOffset, select an existing project. +1. From the Projects page, select an existing project. 1. Go to **Settings** on the left-side navigation. diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index 06c6f6734b8..db96b26f320 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -216,10 +216,10 @@ Enable **Superuser Access** to grant superuser privileges to the edb_admin role. ### Security -Enable **Transparent Data Encryption (TDE)** to use your own encryption key. This option is available for EDB Postgres Advanced Server and EDB Postgres Extended Server for version 15 and later on AWS. Select an encryption key from your project and region to encrypt the cluster with TDE. +Enable **Transparent Data Encryption (TDE)** to use an encryption key. This option is available for EDB Postgres Advanced Server and EDB Postgres Extended Server for version 15 and later. Select an encryption key from your project and region to encrypt the cluster with TDE. !!!Note "Important" -- To enable and use TDE for cluster, the encryption key must be enabled and added at the project level. For more information, see [Adding a TDE key at project level](../../administering_cluster/projects.mdx/#adding-a-tde-key). +- To enable and use TDE for a cluster, the encryption key must be enabled and added at the project level. For more information, see [Adding a TDE key at project level](../../administering_cluster/projects.mdx/#adding-a-tde-key). - If the TDE enabled cluster creation is in progress and the process is waiting providing **Encryption Key Error** next to the cluster name on the clusters page: - Select the cluster name and go to the cluster's home page. - See the **Action required: grant key permissions to activate the cluster** on the cluster's overview tab. diff --git a/product_docs/docs/biganimal/release/overview/03_security/index.mdx b/product_docs/docs/biganimal/release/overview/03_security/index.mdx index 66e07a51c29..f4a17b594fb 100644 --- a/product_docs/docs/biganimal/release/overview/03_security/index.mdx +++ b/product_docs/docs/biganimal/release/overview/03_security/index.mdx @@ -12,10 +12,10 @@ BigAnimal runs in your own cloud account or BigAnimal's cloud account. Every Big - **Data encryption:** - **BigAnimal's encryption** - All data in BigAnimal is encrypted in motion and at rest. Network traffic is encrypted using Transport Layer Security (TLS) v1.2 or greater. Data at rest is encrypted using AES with 256-bit keys. Data encryption keys are envelope encrypted, and the wrapped data encryption keys are securely stored in a key management system. When you use your own cloud account, encryption keys never leave your cloud environment. - - **Your own encryption key** - Optionally enable Transparent Data Encryption (TDE) at the database level on BigAnimal's cloud account and on AWS. You can't enable TDE on existing clusters. You can enable TDE, only while creating a cluster. To enable TDE, use your own encryption keys. Connect the encryption keys to BigAnimal at the project level and select those keys to encrypt the databases. You can't disable TDE on TDE-enabled clusters. + - **Your own encryption key** - Optionally enable Transparent Data Encryption (TDE) at the database level on BigAnimal's cloud account, on AWS, GCP or Azure. You can't enable nor diable TDE on existing clusters. To enable TDE, first connect the encryption keys to BigAnimal at the project level, and then select those keys while creating a cluster. !!!note - Enabling TDE using your own encryption key is supported on EDB Postgres Advanced Server versions 15 and later. The process of encryption and decryption adds additional overhead in terms of CPU and RAM consumption, performance, and for managing keys for faraway replicas. + Enabling TDE using your own encryption key is supported on EDB Postgres Advanced Server and EDB Postgres Extended Server versions 15 and later. The process of encryption and decryption adds additional overhead in terms of CPU and RAM consumption, performance, and for managing keys for faraway replicas. !!! - **Portal audit logging:** Activities in the portal, such as those related to user roles, organization updates, and cluster creation and deletion, are tracked and viewed in the activity log. diff --git a/product_docs/docs/biganimal/release/using_cluster/05a_deleting_your_cluster.mdx b/product_docs/docs/biganimal/release/using_cluster/05a_deleting_your_cluster.mdx index eb6d5625726..31e61ee9a7a 100644 --- a/product_docs/docs/biganimal/release/using_cluster/05a_deleting_your_cluster.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/05a_deleting_your_cluster.mdx @@ -30,7 +30,7 @@ You can restore your deleted cluster for as long as the backup is available. When the process completes, the restored cluster is available on the [Clusters](https://portal.biganimal.com/clusters) page. !!! note -To restore a TDE enabled cluster, the TDE key material must match with source cluster encryption key material. In case a different key material is used the restore operation fails. +To restore a TDE-enabled cluster, the TDE key material must match the source cluster encryption key material. If a different key material is used, the restore operation will fail. -We recommend, not to enable TDE while restoring a cluster, if the source cluster is a non-TDE cluster. +Do not to enable TDE when restoring a non-TDE cluster. !!! diff --git a/product_docs/docs/biganimal/release/using_cluster/managing_replicas.mdx b/product_docs/docs/biganimal/release/using_cluster/managing_replicas.mdx index c1034db9c1e..fd20b0def62 100644 --- a/product_docs/docs/biganimal/release/using_cluster/managing_replicas.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/managing_replicas.mdx @@ -34,7 +34,6 @@ You can create faraway replicas in any active regions in your cloud. There's no Under the **Backups** section, change the default replica backup retention period of 30 days using the **Retention Time** controls. You can configure the retention period as follows: - 1–180 days - - 1–25 weeks - 1–6 months @@ -53,9 +52,9 @@ You can create faraway replicas in any active regions in your cloud. There's no Under the **Security** section, the **Transparent Data Encryption (TDE)** option is enabled by default only when your primary cluster is TDE-enabled. It automatically enables TDE and allows you to select the encryption key from the available List. !!!Note - TDE key material for faraway replicas must be same as the primary cluster encryption key. In case you use different key material, the cluster provisioning fails. - - We recommend, not to enable TDE for faraway replica cluster creation, if the source cluster is a non-TDE cluster. + The TDE key material for faraway replicas must be the same as the primary cluster encryption key. If you use different key material, the cluster provisioning will fail. + + Do not to enable TDE when restoring a non-TDE faraway replica cluster. !!! 1. To turn on the ability to log in to Postgres using your AWS IAM credentials, enable Identity and Access Management (IAM) Authentication. See [Access](/biganimal/latest/getting_started/creating_a_cluster/#access). From 3e7f19d8408aeb5d02cc741c6f9a554b64c85ca6 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Mon, 10 Jun 2024 18:32:46 +0200 Subject: [PATCH 02/16] restructured security topic as UI links to it and added compatibility table --- .../release/overview/03_security/index.mdx | 53 ++++++++++++++----- 1 file changed, 39 insertions(+), 14 deletions(-) diff --git a/product_docs/docs/biganimal/release/overview/03_security/index.mdx b/product_docs/docs/biganimal/release/overview/03_security/index.mdx index f4a17b594fb..aae497b89c0 100644 --- a/product_docs/docs/biganimal/release/overview/03_security/index.mdx +++ b/product_docs/docs/biganimal/release/overview/03_security/index.mdx @@ -4,25 +4,50 @@ title: "Security" BigAnimal runs in your own cloud account or BigAnimal's cloud account. Every BigAnimal cluster is logically isolated from other BigAnimal clusters, but the security properties of the system are different in each [deployment option](/biganimal/release/planning/deployment_options). The key security features are: -- **Data isolation:** With both deployment options, data is fully isolated between separate clusters. No two BigAnimal clusters share a Postgres process, virtual machine, or storage volume. The implementation of this isolation depends on the deployment option. - - **Your own cloud account:** Clusters are installed and managed on virtual machines and storage volumes deployed by BigAnimal on your behalf in your cloud environment. Complete segregation of your data is assured. Your data never leaves your cloud account, and your clusters don't share network segments with other customers' clusters. - - **BigAnimal's cloud account:** BigAnimal deploys cloud infrastructure in accounts owned by BigAnimal. Every cluster is assigned a dedicated set of virtual machines and storage volumes, and these resources are never reused by BigAnimal across multiple clusters. Two clusters can share the same network segment, but access to the system is limited to prevent communication between clusters in the BigAnimal infrastructure. +## Data isolation -- **Granular access control:** With both deployment options, you can use single sign-on (SSO) and define your own sets of roles and role-based access control (RBAC) policies to manage your individual cloud environments. See [Managing portal access](../../administering_cluster/01_portal_access/) for more information. +**Data isolation:** With both deployment options, data is fully isolated between separate clusters. No two BigAnimal clusters share a Postgres process, virtual machine, or storage volume. The implementation of this isolation depends on the deployment option. -- **Data encryption:** - - **BigAnimal's encryption** - All data in BigAnimal is encrypted in motion and at rest. Network traffic is encrypted using Transport Layer Security (TLS) v1.2 or greater. Data at rest is encrypted using AES with 256-bit keys. Data encryption keys are envelope encrypted, and the wrapped data encryption keys are securely stored in a key management system. When you use your own cloud account, encryption keys never leave your cloud environment. - - **Your own encryption key** - Optionally enable Transparent Data Encryption (TDE) at the database level on BigAnimal's cloud account, on AWS, GCP or Azure. You can't enable nor diable TDE on existing clusters. To enable TDE, first connect the encryption keys to BigAnimal at the project level, and then select those keys while creating a cluster. +- **Your own cloud account:** Clusters are installed and managed on virtual machines and storage volumes deployed by BigAnimal on your behalf in your cloud environment. Complete segregation of your data is assured. Your data never leaves your cloud account, and your clusters don't share network segments with other customers' clusters. - !!!note - Enabling TDE using your own encryption key is supported on EDB Postgres Advanced Server and EDB Postgres Extended Server versions 15 and later. The process of encryption and decryption adds additional overhead in terms of CPU and RAM consumption, performance, and for managing keys for faraway replicas. - !!! -- **Portal audit logging:** Activities in the portal, such as those related to user roles, organization updates, and cluster creation and deletion, are tracked and viewed in the activity log. +- **BigAnimal's cloud account:** BigAnimal deploys cloud infrastructure in accounts owned by BigAnimal. Every cluster is assigned a dedicated set of virtual machines and storage volumes, and these resources are never reused by BigAnimal across multiple clusters. Two clusters can share the same network segment, but access to the system is limited to prevent communication between clusters in the BigAnimal infrastructure. -- **Database logging and auditing:** Functionality to track and analyze database activities is enabled automatically. For PostgreSQL, the PostgreSQL Audit Extension (pgAudit) is enabled for you when deploying a Postgres cluster. For EDB Postgres Advanced Server and EDB Postgres Extended Server, the EDB Audit extension (edb_audit) is enabled for you. - - **pgAudit:** The classes of statements being logged for pgAudit are set globally on a cluster with `pgaudit.log = 'write,ddl'`. The following statements made on tables are logged by default when the cluster type is PostgreSQL: `INSERT`, `UPDATE`, `DELETE`, `TRUNCATE`, AND `COPY`. All `DDL` is logged. +## Granular access control -- **Database cluster permissions:** With both deployment options, managing database cluster permissions is your responsibility. The edb_admin user created during the cluster creation process is granted superuser-like permissions, including the CREATEDB and CREATEROLE database roles. We recommend using the edb_admin user to create a new application user and new application database for further isolation. See [Managing Postgres access](../../using_cluster/01_postgres_access/) for more information. +With both deployment options, you can use single sign-on (SSO) and define your own sets of roles and role-based access control (RBAC) policies to manage your individual cloud environments. See [Managing portal access](../../administering_cluster/01_portal_access/) for more information. + +## Data encryption + +- **BigAnimal's encryption** - All data in BigAnimal is encrypted in motion and at rest. Network traffic is encrypted using Transport Layer Security (TLS) v1.2 or greater. Data at rest is encrypted using AES with 256-bit keys. Data encryption keys are envelope encrypted, and the wrapped data encryption keys are securely stored in a key management system. When you use your own cloud account, encryption keys never leave your cloud environment. + +- **Your own encryption key** - Optionally enable Transparent Data Encryption (TDE) at the database level on BigAnimal's cloud account, on AWS, GCP or Azure. You can't enable nor diable TDE on existing clusters. To enable TDE, first connect the encryption keys to BigAnimal at the project level, and then select those keys while creating a cluster. + +TDE is supported in the following environment scenarios: + +| | AWS-hosted cluster (BYOA) | GCP-hosted cluster (BYOA) | Azure-hosted cluster (BYOA) | BigAnimal-hosted cluster (BAH) | +|-----------------------------|---------------------------|---------------------------|-----------------------------|--------------------------------| +| AWS Key Management Service | yes | yes | yes | yes | +| Google Cloud Key Management | yes | yes | yes | yes | +| Azure Key Vault | yes | yes | yes | no | +| BAH key management | no | no | no | yes | + +!!!note + Enabling TDE using your own encryption key is supported on EDB Postgres Advanced Server and EDB Postgres Extended Server versions 15 and later. The process of encryption and decryption adds additional overhead in terms of CPU and RAM consumption, performance, and for managing keys for faraway replicas. +!!! + +## Portal audit logging + +Activities in the portal, such as those related to user roles, organization updates, and cluster creation and deletion, are tracked and viewed in the activity log. + +## Database logging and auditing + +Functionality to track and analyze database activities is enabled automatically. For PostgreSQL, the PostgreSQL Audit Extension (pgAudit) is enabled for you when deploying a Postgres cluster. For EDB Postgres Advanced Server and EDB Postgres Extended Server, the EDB Audit extension (edb_audit) is enabled for you. + +- **pgAudit:** The classes of statements being logged for pgAudit are set globally on a cluster with `pgaudit.log = 'write,ddl'`. The following statements made on tables are logged by default when the cluster type is PostgreSQL: `INSERT`, `UPDATE`, `DELETE`, `TRUNCATE`, AND `COPY`. All `DDL` is logged. + +## Database cluster permissions + +With both deployment options, managing database cluster permissions is your responsibility. The edb_admin user created during the cluster creation process is granted superuser-like permissions, including the CREATEDB and CREATEROLE database roles. We recommend using the edb_admin user to create a new application user and new application database for further isolation. See [Managing Postgres access](../../using_cluster/01_postgres_access/) for more information. ## See also From 59f3365616766888361270af4410c709215ca2b4 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Tue, 11 Jun 2024 12:13:04 +0200 Subject: [PATCH 03/16] improved security section and updated compatibility section --- .../getting_started/creating_a_cluster/index.mdx | 5 ++++- .../release/overview/03_security/index.mdx | 14 ++++++++++---- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index db96b26f320..0c16cc79895 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -219,7 +219,10 @@ Enable **Superuser Access** to grant superuser privileges to the edb_admin role. Enable **Transparent Data Encryption (TDE)** to use an encryption key. This option is available for EDB Postgres Advanced Server and EDB Postgres Extended Server for version 15 and later. Select an encryption key from your project and region to encrypt the cluster with TDE. !!!Note "Important" -- To enable and use TDE for a cluster, the encryption key must be enabled and added at the project level. For more information, see [Adding a TDE key at project level](../../administering_cluster/projects.mdx/#adding-a-tde-key). +- To enable and use TDE for a cluster, the encryption key must be enabled and added at the project level. + To add a key, see [Adding a TDE key at project level](../../administering_cluster/projects.mdx/#adding-a-tde-key). + To learn more about TDE options, see [Transparent Data Encryption](../../overview/03_security/#your-own-encryption-key---transparent-data-encryption-tde) + - If the TDE enabled cluster creation is in progress and the process is waiting providing **Encryption Key Error** next to the cluster name on the clusters page: - Select the cluster name and go to the cluster's home page. - See the **Action required: grant key permissions to activate the cluster** on the cluster's overview tab. diff --git a/product_docs/docs/biganimal/release/overview/03_security/index.mdx b/product_docs/docs/biganimal/release/overview/03_security/index.mdx index aae497b89c0..653c2cca806 100644 --- a/product_docs/docs/biganimal/release/overview/03_security/index.mdx +++ b/product_docs/docs/biganimal/release/overview/03_security/index.mdx @@ -18,18 +18,24 @@ With both deployment options, you can use single sign-on (SSO) and define your o ## Data encryption -- **BigAnimal's encryption** - All data in BigAnimal is encrypted in motion and at rest. Network traffic is encrypted using Transport Layer Security (TLS) v1.2 or greater. Data at rest is encrypted using AES with 256-bit keys. Data encryption keys are envelope encrypted, and the wrapped data encryption keys are securely stored in a key management system. When you use your own cloud account, encryption keys never leave your cloud environment. +### BigAnimal's encryption -- **Your own encryption key** - Optionally enable Transparent Data Encryption (TDE) at the database level on BigAnimal's cloud account, on AWS, GCP or Azure. You can't enable nor diable TDE on existing clusters. To enable TDE, first connect the encryption keys to BigAnimal at the project level, and then select those keys while creating a cluster. +All data in BigAnimal is encrypted in motion and at rest. Network traffic is encrypted using Transport Layer Security (TLS) v1.2 or greater. Data at rest is encrypted using AES with 256-bit keys. Data encryption keys are envelope encrypted, and the wrapped data encryption keys are securely stored in a key management system. When you use your own cloud account, encryption keys never leave your cloud environment. + +### Your own encryption key - Transparent Data Encryption (TDE) + +Optionally enable Transparent Data Encryption (TDE) at the database level on BigAnimal's cloud account, on AWS, GCP or Azure. TDE encrypts all data files, the write-ahead log (WAL) and temporary files used during query processing and database system operations. + +You can't enable nor disable TDE on existing clusters. To enable TDE, first connect the encryption keys to BigAnimal at the project level, and then select those keys while creating a cluster. + +TDE is supported in the following cluster-type-to-key combinations: -TDE is supported in the following environment scenarios: | | AWS-hosted cluster (BYOA) | GCP-hosted cluster (BYOA) | Azure-hosted cluster (BYOA) | BigAnimal-hosted cluster (BAH) | |-----------------------------|---------------------------|---------------------------|-----------------------------|--------------------------------| | AWS Key Management Service | yes | yes | yes | yes | | Google Cloud Key Management | yes | yes | yes | yes | | Azure Key Vault | yes | yes | yes | no | -| BAH key management | no | no | no | yes | !!!note Enabling TDE using your own encryption key is supported on EDB Postgres Advanced Server and EDB Postgres Extended Server versions 15 and later. The process of encryption and decryption adds additional overhead in terms of CPU and RAM consumption, performance, and for managing keys for faraway replicas. From c825be847fa59e3822b41e78bf20ae60d4a96102 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Tue, 11 Jun 2024 17:30:03 +0200 Subject: [PATCH 04/16] Cloud Provider-specific instructions for completion of config --- .../creating_a_cluster/index.mdx | 34 +++++++++++++++---- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index 0c16cc79895..c76f5b10218 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -221,14 +221,36 @@ Enable **Transparent Data Encryption (TDE)** to use an encryption key. This opti !!!Note "Important" - To enable and use TDE for a cluster, the encryption key must be enabled and added at the project level. To add a key, see [Adding a TDE key at project level](../../administering_cluster/projects.mdx/#adding-a-tde-key). - To learn more about TDE options, see [Transparent Data Encryption](../../overview/03_security/#your-own-encryption-key---transparent-data-encryption-tde) - -- If the TDE enabled cluster creation is in progress and the process is waiting providing **Encryption Key Error** next to the cluster name on the clusters page: - - Select the cluster name and go to the cluster's home page. - - See the **Action required: grant key permissions to activate the cluster** on the cluster's overview tab. - - Copy the **Principal** and add it to your key policy to provide **kms:Encrypt** and **kms:Decrypt** permission. + To learn more about TDE options, see [Transparent Data Encryption](../../overview/03_security/#your-own-encryption-key---transparent-data-encryption-tde). !!! +#### Completing the TDE configuration + +To complete the TDE key configuration after a TDE-enabled cluster has been created, you will have to complete the configuration by cross-entering the BA key information into your key management platform. The UI reminds you about this step by displaying a **Waiting for access to encryption key** state next to the cluster name on the clusters page. To complete the key configuration: + +1. Select the cluster name to access the cluster's page, and see the **Action required: grant key permissions to activate the cluster**. + +1. Grant permisions for the BigAnimal key in the console of your key management provider: + + For GCP: + 1. Copy the **service account** to your clipboard. + 1. Go to the Google Cloud console, select **Security**, **VIEW BY PRINCIPALS**, **GRANT ACCESS**. + 1. Paste the service account into the **New principals** field. + 1. Assign the `Cloud KMS CryptoKey Decrypter` and `Cloud KMS CryptoKey Encrypter` roles and save. + + For Azure: + 1. Copy the **MSI Workload Identity** to your clipboard. + 1. Got to the Microsoft Azure console, select **Access configuration** and select **Vault access policy** in the **Permission model** section, and **Apply**. + 1. Go to **Access policy** and select **Create**. + 1. In **Permissions**, select **Encrypt** and **Decrypt**. + 1. In **Principal**, paste the MSI Workload Identity you copied to your clipboard and finish creating the policy. + + For AWS: + 1. Copy the **Principal** identifier to your clipboard. + 1. Go to the AWS console, in the **Key Management Service**, select **Customer-managed keys** + 1. Select **Edit policy** and paste the **Principal** identifier you copied to your clipboard into the `Principal.AWS` field. + 1. In the `Principal.Action` field, provide **kms:Encrypt** and **kms:Decrypt** permissions and **Save**. + ## What’s next After you create your cluster, use these resources to learn about cluster use and management: From 8da460a69dd3c8c674fed4aa1eb8ebafa163374e Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Wed, 12 Jun 2024 12:43:12 +0200 Subject: [PATCH 05/16] added options with expands --- .../creating_a_cluster/index.mdx | 66 +++++++++++++++---- .../release/overview/03_security/index.mdx | 12 +++- 2 files changed, 63 insertions(+), 15 deletions(-) diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index c76f5b10218..40bc6b87edb 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -1,6 +1,7 @@ --- title: "Creating a cluster" description: Describes cluster creation options +deepToC: true redirects: #adding hierarchy to the structure (Creating a Cluster topic nows has a child topic) so created a folder and moved the contents from 03_create_cluster to index.mdx - ../03_create_cluster/ @@ -216,15 +217,15 @@ Enable **Superuser Access** to grant superuser privileges to the edb_admin role. ### Security -Enable **Transparent Data Encryption (TDE)** to use an encryption key. This option is available for EDB Postgres Advanced Server and EDB Postgres Extended Server for version 15 and later. Select an encryption key from your project and region to encrypt the cluster with TDE. +Enable **Transparent Data Encryption (TDE)** to use an encryption key. This option is available for EDB Postgres Advanced Server and EDB Postgres Extended Server for version 15 and later. Select an encryption key from your project and region to encrypt the cluster with TDE. To learn more about TDE options, see [Transparent Data Encryption](../../overview/03_security/#your-own-encryption-key---transparent-data-encryption-tde). !!!Note "Important" - To enable and use TDE for a cluster, the encryption key must be enabled and added at the project level. To add a key, see [Adding a TDE key at project level](../../administering_cluster/projects.mdx/#adding-a-tde-key). - To learn more about TDE options, see [Transparent Data Encryption](../../overview/03_security/#your-own-encryption-key---transparent-data-encryption-tde). +- To enable and use TDE for a cluster, the configuration must be completed on the platform of your key management provider. See [Completing the TDE configuration](#completing-the-TDE-configuration) for more information. !!! -#### Completing the TDE configuration +#### Completing the TDE configuration To complete the TDE key configuration after a TDE-enabled cluster has been created, you will have to complete the configuration by cross-entering the BA key information into your key management platform. The UI reminds you about this step by displaying a **Waiting for access to encryption key** state next to the cluster name on the clusters page. To complete the key configuration: @@ -232,24 +233,65 @@ To complete the TDE key configuration after a TDE-enabled cluster has been creat 1. Grant permisions for the BigAnimal key in the console of your key management provider: - For GCP: +
AWS + + 1. Copy the **Principal** identifier to your clipboard. + 1. Go to the AWS console, and navigate to the **Key Management Service** + 1. Select **Customer-managed keys**, and **Edit policy**. + 1. Paste the **Principal** identifier you copied to your clipboard into the `Principal.AWS` field. + 1. In the `Principal.Action` field, provide **kms:Encrypt** and **kms:Decrypt** permissions and **Save**. + +
+ +
GCP + 1. Copy the **service account** to your clipboard. 1. Go to the Google Cloud console, select **Security**, **VIEW BY PRINCIPALS**, **GRANT ACCESS**. 1. Paste the service account into the **New principals** field. 1. Assign the `Cloud KMS CryptoKey Decrypter` and `Cloud KMS CryptoKey Encrypter` roles and save. - For Azure: +
+ +
Azure + 1. Copy the **MSI Workload Identity** to your clipboard. - 1. Got to the Microsoft Azure console, select **Access configuration** and select **Vault access policy** in the **Permission model** section, and **Apply**. - 1. Go to **Access policy** and select **Create**. + 1. Got to the Microsoft Azure console, and navigate to **Key vaults**. + 1. Select the key, **Access policies**, and **Create**. 1. In **Permissions**, select **Encrypt** and **Decrypt**. 1. In **Principal**, paste the MSI Workload Identity you copied to your clipboard and finish creating the policy. - For AWS: - 1. Copy the **Principal** identifier to your clipboard. - 1. Go to the AWS console, in the **Key Management Service**, select **Customer-managed keys** - 1. Select **Edit policy** and paste the **Principal** identifier you copied to your clipboard into the `Principal.AWS` field. - 1. In the `Principal.Action` field, provide **kms:Encrypt** and **kms:Decrypt** permissions and **Save**. +
+ + + +#### Completing the TDE configuration 2 + +To complete the TDE key configuration after a TDE-enabled cluster has been created, you will have to complete the configuration by cross-entering the BA key information into your key management platform. The UI reminds you about this step by displaying a **Waiting for access to encryption key** state next to the cluster name on the clusters page. To complete the key configuration: + +1. Select the cluster name to access the cluster's page, and see the **Action required: grant key permissions to activate the cluster**. + +1. Copy the **Principal** idenfifier (AWS), **service account** (GCP) or **MSI Workload Identity** (Azure) to your clipboard. + +1. Follow the on-screen guide to grant encrypt and decrypt access rights to your key management provider. Here is additional guidance: + +
In AWS + + Go to the **Key Management Service** of the AWS console. Navigate to the customer-managed keys and edit the policy. Paste the **Principal** copied to your clipboard into code editor. Assign the **kms:Encrypt** and **kms:Decrypt** permissions. + +
+ +
In GCP + + Go to the **Cloud Key Management Service** of the Google Cloud console. Navigate to the security page and grant access to view principals. Paste the service account you copied to the new principals field. Assign the `Cloud KMS CryptoKey Decrypter` and `Cloud KMS CryptoKey Encrypter` roles. + +
+ +
In Azure + + Go to **Key vaults** in the Microsoft Azure console. Navigate to the access policies. Create a new policy with **Encrypt** and **Decrypt** permissions, and paste the MSI Workload Identity you copied to the principal field. + +
+ ## What’s next diff --git a/product_docs/docs/biganimal/release/overview/03_security/index.mdx b/product_docs/docs/biganimal/release/overview/03_security/index.mdx index 653c2cca806..91196cb759d 100644 --- a/product_docs/docs/biganimal/release/overview/03_security/index.mdx +++ b/product_docs/docs/biganimal/release/overview/03_security/index.mdx @@ -1,5 +1,6 @@ --- title: "Security" +deepToC: true --- BigAnimal runs in your own cloud account or BigAnimal's cloud account. Every BigAnimal cluster is logically isolated from other BigAnimal clusters, but the security properties of the system are different in each [deployment option](/biganimal/release/planning/deployment_options). The key security features are: @@ -28,8 +29,7 @@ Optionally enable Transparent Data Encryption (TDE) at the database level on Big You can't enable nor disable TDE on existing clusters. To enable TDE, first connect the encryption keys to BigAnimal at the project level, and then select those keys while creating a cluster. -TDE is supported in the following cluster-type-to-key combinations: - +Enabling TDE using your own encryption key is supported on EDB Postgres Advanced Server and EDB Postgres Extended Server versions 15 and later. Both the key and the cluster must be within the same region and the same cloud provider: | | AWS-hosted cluster (BYOA) | GCP-hosted cluster (BYOA) | Azure-hosted cluster (BYOA) | BigAnimal-hosted cluster (BAH) | |-----------------------------|---------------------------|---------------------------|-----------------------------|--------------------------------| @@ -37,8 +37,14 @@ TDE is supported in the following cluster-type-to-key combinations: | Google Cloud Key Management | yes | yes | yes | yes | | Azure Key Vault | yes | yes | yes | no | +| | AWS-hosted cluster (BYOA) | GCP-hosted cluster (BYOA) | Azure-hosted cluster (BYOA) | BigAnimal-hosted cluster (BAH) | +|-----------------------------|---------------------------|---------------------------|-----------------------------|--------------------------------| +| AWS Key Management Service | yes | no | no | yes | +| Google Cloud Key Management | no | yes | no | yes | +| Azure Key Vault | no | no | yes | no | + !!!note - Enabling TDE using your own encryption key is supported on EDB Postgres Advanced Server and EDB Postgres Extended Server versions 15 and later. The process of encryption and decryption adds additional overhead in terms of CPU and RAM consumption, performance, and for managing keys for faraway replicas. + The process of encryption and decryption adds additional overhead in terms of CPU and RAM consumption, performance, and for managing keys for faraway replicas. !!! ## Portal audit logging From 2cf712b55e64239342cbdb9a6e9d3923fca3b5c4 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Wed, 12 Jun 2024 13:34:08 +0200 Subject: [PATCH 06/16] minor edits --- .../biganimal/release/administering_cluster/projects.mdx | 6 +++--- .../release/getting_started/creating_a_cluster/index.mdx | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/product_docs/docs/biganimal/release/administering_cluster/projects.mdx b/product_docs/docs/biganimal/release/administering_cluster/projects.mdx index 5d6422fdf86..ff6092bccc5 100644 --- a/product_docs/docs/biganimal/release/administering_cluster/projects.mdx +++ b/product_docs/docs/biganimal/release/administering_cluster/projects.mdx @@ -89,12 +89,12 @@ To delete a project that you created: 1. From the **Settings** list, select **Security**. 1. Select **Add a key**. 1. On the **Add a key** page, select the **Cloud Service Provider**. -1. Select the **Region** for the key. The interface only displays the regions available to the cloud account you configured. +1. Select the **Region** for the key. The interface only displays the regions available in the cloud account you configured. !!! Note GCP offers the option to configure global keys. If you require a global key, do not select any region. !!! -1. Fill out the remaining values. Each cloud provider has a different set of options. -1. Select **Add Key** to finalize the key configuration. +1. Complete the remaining fields according to your cloud provider. +1. Select **Add Key** to finalize the configuration. Now, use this TDE key to create a cluster. For more information, see [Creating a cluster](/biganimal/release/getting_started/creating_a_cluster/#security). diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index 40bc6b87edb..134d70cc5e1 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -217,12 +217,12 @@ Enable **Superuser Access** to grant superuser privileges to the edb_admin role. ### Security -Enable **Transparent Data Encryption (TDE)** to use an encryption key. This option is available for EDB Postgres Advanced Server and EDB Postgres Extended Server for version 15 and later. Select an encryption key from your project and region to encrypt the cluster with TDE. To learn more about TDE options, see [Transparent Data Encryption](../../overview/03_security/#your-own-encryption-key---transparent-data-encryption-tde). +Enable **Transparent Data Encryption (TDE)** to use your own encryption key. This option is available for EDB Postgres Advanced Server and EDB Postgres Extended Server for version 15 and later. Select an encryption key from your project and region to encrypt the cluster with TDE. To learn more about TDE options, see [Transparent Data Encryption](../../overview/03_security/#your-own-encryption-key---transparent-data-encryption-tde). !!!Note "Important" -- To enable and use TDE for a cluster, the encryption key must be enabled and added at the project level. +- To enable and use TDE for a cluster, the encryption key must be enabled and added at the project level before creating a cluster. To add a key, see [Adding a TDE key at project level](../../administering_cluster/projects.mdx/#adding-a-tde-key). -- To enable and use TDE for a cluster, the configuration must be completed on the platform of your key management provider. See [Completing the TDE configuration](#completing-the-TDE-configuration) for more information. +- To enable and use TDE for a cluster, you must complete the configuration on the platform of your key management provider after creating a cluster. See [Completing the TDE configuration](#completing-the-TDE-configuration) for more information. !!! #### Completing the TDE configuration From cac21bd367215212286abe5a7c7bfa39a26b3e07 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Wed, 12 Jun 2024 16:19:51 +0200 Subject: [PATCH 07/16] updated table --- .../creating_a_cluster/index.mdx | 6 ++--- .../release/overview/03_security/index.mdx | 27 ++++++++++--------- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index 134d70cc5e1..2161e3f9798 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -237,7 +237,7 @@ To complete the TDE key configuration after a TDE-enabled cluster has been creat 1. Copy the **Principal** identifier to your clipboard. 1. Go to the AWS console, and navigate to the **Key Management Service** - 1. Select **Customer-managed keys**, and **Edit policy**. + 1. Select **Customer-managed keys**, and **Edit policy** for your key. 1. Paste the **Principal** identifier you copied to your clipboard into the `Principal.AWS` field. 1. In the `Principal.Action` field, provide **kms:Encrypt** and **kms:Decrypt** permissions and **Save**. @@ -246,7 +246,7 @@ To complete the TDE key configuration after a TDE-enabled cluster has been creat
GCP 1. Copy the **service account** to your clipboard. - 1. Go to the Google Cloud console, select **Security**, **VIEW BY PRINCIPALS**, **GRANT ACCESS**. + 1. Go to the Google Cloud console, select **Security**, **VIEW BY PRINCIPALS**, **GRANT ACCESS** for your key. 1. Paste the service account into the **New principals** field. 1. Assign the `Cloud KMS CryptoKey Decrypter` and `Cloud KMS CryptoKey Encrypter` roles and save. @@ -282,7 +282,7 @@ To complete the TDE key configuration after a TDE-enabled cluster has been creat
In GCP - Go to the **Cloud Key Management Service** of the Google Cloud console. Navigate to the security page and grant access to view principals. Paste the service account you copied to the new principals field. Assign the `Cloud KMS CryptoKey Decrypter` and `Cloud KMS CryptoKey Encrypter` roles. + Go to the **Cloud Key Management Service** of the Google Cloud console. Navigate to the security page and grant access to view principals of your key. Paste the service account you copied to the new principals field. Assign the `Cloud KMS CryptoKey Decrypter` and `Cloud KMS CryptoKey Encrypter` roles.
diff --git a/product_docs/docs/biganimal/release/overview/03_security/index.mdx b/product_docs/docs/biganimal/release/overview/03_security/index.mdx index 91196cb759d..edaf6ce28e7 100644 --- a/product_docs/docs/biganimal/release/overview/03_security/index.mdx +++ b/product_docs/docs/biganimal/release/overview/03_security/index.mdx @@ -29,19 +29,20 @@ Optionally enable Transparent Data Encryption (TDE) at the database level on Big You can't enable nor disable TDE on existing clusters. To enable TDE, first connect the encryption keys to BigAnimal at the project level, and then select those keys while creating a cluster. -Enabling TDE using your own encryption key is supported on EDB Postgres Advanced Server and EDB Postgres Extended Server versions 15 and later. Both the key and the cluster must be within the same region and the same cloud provider: - -| | AWS-hosted cluster (BYOA) | GCP-hosted cluster (BYOA) | Azure-hosted cluster (BYOA) | BigAnimal-hosted cluster (BAH) | -|-----------------------------|---------------------------|---------------------------|-----------------------------|--------------------------------| -| AWS Key Management Service | yes | yes | yes | yes | -| Google Cloud Key Management | yes | yes | yes | yes | -| Azure Key Vault | yes | yes | yes | no | - -| | AWS-hosted cluster (BYOA) | GCP-hosted cluster (BYOA) | Azure-hosted cluster (BYOA) | BigAnimal-hosted cluster (BAH) | -|-----------------------------|---------------------------|---------------------------|-----------------------------|--------------------------------| -| AWS Key Management Service | yes | no | no | yes | -| Google Cloud Key Management | no | yes | no | yes | -| Azure Key Vault | no | no | yes | no | +EDB supports enabling TDE with your own encryption key on EDB Postgres Advanced Server and EDB Postgres Extended Server versions 15 and later. Both the key and the cluster must be in the same region and hosted by the same underlying cloud provider. + +This overview shows the supported cluster-to-key combinations: + +| | AWS cluster (BYOA) | AWS cluster (BAH) | GCP cluster (BYOA) | GCP cluster (BAH) | Azure cluster (BYOA) | Azure cluster (BAH) | +|-----------------------------|--------------------|-------------------|--------------------|-------------------|----------------------|---------------------| +| AWS Key Management Service | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | +| Google Cloud Key Management | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | +| Azure Key Vault | ✗ | ✗ | ✗ | ✗ | ✓ | ✗ | + + +**BYOA or Bring your own access:** BigAnimal deploys the cluster on your own cloud provider account. + +**BAH or BigAnimal hosted:** BigAnimal deploys the cluster on a cloud provider account owned and managed by EDB. !!!note The process of encryption and decryption adds additional overhead in terms of CPU and RAM consumption, performance, and for managing keys for faraway replicas. From f39a87eaf94bed29ced0462c10163475d6fac4cd Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Wed, 12 Jun 2024 16:48:16 +0200 Subject: [PATCH 08/16] key management provider refinement --- .../getting_started/creating_a_cluster/index.mdx | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index 2161e3f9798..065382e8050 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -231,7 +231,9 @@ To complete the TDE key configuration after a TDE-enabled cluster has been creat 1. Select the cluster name to access the cluster's page, and see the **Action required: grant key permissions to activate the cluster**. -1. Grant permisions for the BigAnimal key in the console of your key management provider: +1. Copy the **Principal** idenfifier (AWS), **service account** (GCP) or **MSI Workload Identity** (Azure) to your clipboard. + +1. Follow the on-screen guide to grant encrypt and decrypt access rights to your key. Here is additional information in case you require further guidance:
AWS @@ -272,21 +274,21 @@ To complete the TDE key configuration after a TDE-enabled cluster has been creat 1. Copy the **Principal** idenfifier (AWS), **service account** (GCP) or **MSI Workload Identity** (Azure) to your clipboard. -1. Follow the on-screen guide to grant encrypt and decrypt access rights to your key management provider. Here is additional guidance: +1. Follow the on-screen guide to grant encrypt and decrypt access rights to your key. Here is additional information in case you require further guidance: -
In AWS +
AWS Go to the **Key Management Service** of the AWS console. Navigate to the customer-managed keys and edit the policy. Paste the **Principal** copied to your clipboard into code editor. Assign the **kms:Encrypt** and **kms:Decrypt** permissions.
-
In GCP +
GCP Go to the **Cloud Key Management Service** of the Google Cloud console. Navigate to the security page and grant access to view principals of your key. Paste the service account you copied to the new principals field. Assign the `Cloud KMS CryptoKey Decrypter` and `Cloud KMS CryptoKey Encrypter` roles.
-
In Azure +
Azure Go to **Key vaults** in the Microsoft Azure console. Navigate to the access policies. Create a new policy with **Encrypt** and **Decrypt** permissions, and paste the MSI Workload Identity you copied to the principal field. From e6c7a019c579d12c78cd29c35634e41f94e94834 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Thu, 13 Jun 2024 11:46:33 +0200 Subject: [PATCH 09/16] instructions for completing configuration --- .../creating_a_cluster/index.mdx | 38 ++----------------- .../release/overview/03_security/index.mdx | 3 +- 2 files changed, 6 insertions(+), 35 deletions(-) diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index 065382e8050..a757fb396eb 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -227,13 +227,13 @@ Enable **Transparent Data Encryption (TDE)** to use your own encryption key. Thi #### Completing the TDE configuration -To complete the TDE key configuration after a TDE-enabled cluster has been created, you will have to complete the configuration by cross-entering the BA key information into your key management platform. The UI reminds you about this step by displaying a **Waiting for access to encryption key** state next to the cluster name on the clusters page. To complete the key configuration: +After you create the cluster in the BigAnimal console, the UI will display the **Waiting for access to encryption key** state. To complete the configuration and enable the key sync between BigAnimal and the key management platform you must grant encrypt and decrypt permissions to your key: -1. Select the cluster name to access the cluster's page, and see the **Action required: grant key permissions to activate the cluster**. +1. In BigAnimal, select the cluster name and access the cluster's page. See the **Action required: grant key permissions to activate the cluster**. -1. Copy the **Principal** idenfifier (AWS), **service account** (GCP) or **MSI Workload Identity** (Azure) to your clipboard. +1. Copy the **Principal** identifier (AWS), **service account** (GCP) or **MSI Workload Identity** (Azure) to your clipboard. -1. Follow the on-screen guide to grant encrypt and decrypt access rights to your key. Here is additional information in case you require further guidance: +1. Follow the on-screen guide to grant encrypt and decrypt permissions to your key. Here is additional information in case you require further guidance:
AWS @@ -263,36 +263,6 @@ To complete the TDE key configuration after a TDE-enabled cluster has been creat 1. In **Principal**, paste the MSI Workload Identity you copied to your clipboard and finish creating the policy.
- - - -#### Completing the TDE configuration 2 - -To complete the TDE key configuration after a TDE-enabled cluster has been created, you will have to complete the configuration by cross-entering the BA key information into your key management platform. The UI reminds you about this step by displaying a **Waiting for access to encryption key** state next to the cluster name on the clusters page. To complete the key configuration: - -1. Select the cluster name to access the cluster's page, and see the **Action required: grant key permissions to activate the cluster**. - -1. Copy the **Principal** idenfifier (AWS), **service account** (GCP) or **MSI Workload Identity** (Azure) to your clipboard. - -1. Follow the on-screen guide to grant encrypt and decrypt access rights to your key. Here is additional information in case you require further guidance: - -
AWS - - Go to the **Key Management Service** of the AWS console. Navigate to the customer-managed keys and edit the policy. Paste the **Principal** copied to your clipboard into code editor. Assign the **kms:Encrypt** and **kms:Decrypt** permissions. - -
- -
GCP - - Go to the **Cloud Key Management Service** of the Google Cloud console. Navigate to the security page and grant access to view principals of your key. Paste the service account you copied to the new principals field. Assign the `Cloud KMS CryptoKey Decrypter` and `Cloud KMS CryptoKey Encrypter` roles. - -
- -
Azure - - Go to **Key vaults** in the Microsoft Azure console. Navigate to the access policies. Create a new policy with **Encrypt** and **Decrypt** permissions, and paste the MSI Workload Identity you copied to the principal field. - -
## What’s next diff --git a/product_docs/docs/biganimal/release/overview/03_security/index.mdx b/product_docs/docs/biganimal/release/overview/03_security/index.mdx index edaf6ce28e7..543e4cf89aa 100644 --- a/product_docs/docs/biganimal/release/overview/03_security/index.mdx +++ b/product_docs/docs/biganimal/release/overview/03_security/index.mdx @@ -29,7 +29,8 @@ Optionally enable Transparent Data Encryption (TDE) at the database level on Big You can't enable nor disable TDE on existing clusters. To enable TDE, first connect the encryption keys to BigAnimal at the project level, and then select those keys while creating a cluster. -EDB supports enabling TDE with your own encryption key on EDB Postgres Advanced Server and EDB Postgres Extended Server versions 15 and later. Both the key and the cluster must be in the same region and hosted by the same underlying cloud provider. +EDB supports enabling TDE with your own encryption key on Single Node and Primary/Standby High Availability deployments running EDB Postgres Advanced Server or EDB Postgres Extended Server versions 15 and later. +Both the key and cluster must be in the same region and hosted by the same underlying cloud provider. This overview shows the supported cluster-to-key combinations: From 39b229b6700a7faa5cc40509f1fddd98daa1bae3 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Thu, 13 Jun 2024 12:11:49 +0200 Subject: [PATCH 10/16] cross-linked topics --- .../biganimal/release/administering_cluster/projects.mdx | 4 +++- .../release/getting_started/creating_a_cluster/index.mdx | 2 +- .../docs/biganimal/release/overview/03_security/index.mdx | 6 ++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/product_docs/docs/biganimal/release/administering_cluster/projects.mdx b/product_docs/docs/biganimal/release/administering_cluster/projects.mdx index ff6092bccc5..d836d72ad57 100644 --- a/product_docs/docs/biganimal/release/administering_cluster/projects.mdx +++ b/product_docs/docs/biganimal/release/administering_cluster/projects.mdx @@ -96,7 +96,9 @@ To delete a project that you created: 1. Complete the remaining fields according to your cloud provider. 1. Select **Add Key** to finalize the configuration. -Now, use this TDE key to create a cluster. For more information, see [Creating a cluster](/biganimal/release/getting_started/creating_a_cluster/#security). +Now, use this TDE key to [create a cluster](/biganimal/release/getting_started/creating_a_cluster/#security). + +For more information about TDE support, see [Transparent Data Encryption](../overview/03_security#your-own-encryption-key---transparent-data-encryption-tde) ## Deleting a TDE key diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index a757fb396eb..ce1445884cf 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -217,7 +217,7 @@ Enable **Superuser Access** to grant superuser privileges to the edb_admin role. ### Security -Enable **Transparent Data Encryption (TDE)** to use your own encryption key. This option is available for EDB Postgres Advanced Server and EDB Postgres Extended Server for version 15 and later. Select an encryption key from your project and region to encrypt the cluster with TDE. To learn more about TDE options, see [Transparent Data Encryption](../../overview/03_security/#your-own-encryption-key---transparent-data-encryption-tde). +Enable **Transparent Data Encryption (TDE)** to use your own encryption key. This option is available for EDB Postgres Advanced Server and EDB Postgres Extended Server for version 15 and later. Select an encryption key from your project and region to encrypt the cluster with TDE. To learn more about TDE support, see [Transparent Data Encryption](../../overview/03_security/#your-own-encryption-key---transparent-data-encryption-tde). !!!Note "Important" - To enable and use TDE for a cluster, the encryption key must be enabled and added at the project level before creating a cluster. diff --git a/product_docs/docs/biganimal/release/overview/03_security/index.mdx b/product_docs/docs/biganimal/release/overview/03_security/index.mdx index 543e4cf89aa..00697159ef5 100644 --- a/product_docs/docs/biganimal/release/overview/03_security/index.mdx +++ b/product_docs/docs/biganimal/release/overview/03_security/index.mdx @@ -49,6 +49,12 @@ This overview shows the supported cluster-to-key combinations: The process of encryption and decryption adds additional overhead in terms of CPU and RAM consumption, performance, and for managing keys for faraway replicas. !!! +**To enable TDE**: + +- Before you create a TDE-enabled cluster, you must [add a TDE key](../../administering_cluster/projects##adding-a-tde-key). + +- See [Creating a new cluster - Security](../../getting_started/creating_a_cluster#security) to enable a TDE key during the cluster creation. + ## Portal audit logging Activities in the portal, such as those related to user roles, organization updates, and cluster creation and deletion, are tracked and viewed in the activity log. From e8d13c5964dcea1f1533a00384fdb91d9e5248b3 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Mon, 17 Jun 2024 10:28:05 +0200 Subject: [PATCH 11/16] Implementing feedback from Gabriele --- .../creating_a_cluster/index.mdx | 37 +++++++++++++++++-- .../release/overview/03_security/index.mdx | 2 +- 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index ce1445884cf..fef9acb8e7c 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -240,8 +240,38 @@ After you create the cluster in the BigAnimal console, the UI will display the * 1. Copy the **Principal** identifier to your clipboard. 1. Go to the AWS console, and navigate to the **Key Management Service** 1. Select **Customer-managed keys**, and **Edit policy** for your key. - 1. Paste the **Principal** identifier you copied to your clipboard into the `Principal.AWS` field. - 1. In the `Principal.Action` field, provide **kms:Encrypt** and **kms:Decrypt** permissions and **Save**. + 1. Append a new policy statement where the `Principal.AWS` field equals the **Principal** identifier you copied to your clipboard and where the `Principal.Action` field contains **kms:Encrypt** and **kms:Decrypt** permissions. + + This example contains the default AWS policy statement and the BigAnimal policy statement that corresponds to the TDE configuration. + + ``` + { + "Version": "2012-10-17", + "Id": "key-consolepolicy-3", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::142348057180:root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Sid": "Enable TDE on cluster ExampleCluster", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::142348057180:role/ba-vcvolsnap0ZUPsgZ-us-east-1-p-k2nxxtndkg" + }, + "Action": [ + "kms:Encrypt", + "kms:Decrypt" + ], + "Resource": "*" + } + ] + }
@@ -258,7 +288,8 @@ After you create the cluster in the BigAnimal console, the UI will display the * 1. Copy the **MSI Workload Identity** to your clipboard. 1. Got to the Microsoft Azure console, and navigate to **Key vaults**. - 1. Select the key, **Access policies**, and **Create**. + 1. Select the key, go to **Access configuration** and set the **Permission model** to **Vault access policy**. + 1. Select **Access policies**, and **Create**. 1. In **Permissions**, select **Encrypt** and **Decrypt**. 1. In **Principal**, paste the MSI Workload Identity you copied to your clipboard and finish creating the policy. diff --git a/product_docs/docs/biganimal/release/overview/03_security/index.mdx b/product_docs/docs/biganimal/release/overview/03_security/index.mdx index 00697159ef5..4194e204d65 100644 --- a/product_docs/docs/biganimal/release/overview/03_security/index.mdx +++ b/product_docs/docs/biganimal/release/overview/03_security/index.mdx @@ -41,7 +41,7 @@ This overview shows the supported cluster-to-key combinations: | Azure Key Vault | ✗ | ✗ | ✗ | ✗ | ✓ | ✗ | -**BYOA or Bring your own access:** BigAnimal deploys the cluster on your own cloud provider account. +**BYOA or Bring your own account:** BigAnimal deploys the cluster on your own cloud provider account. **BAH or BigAnimal hosted:** BigAnimal deploys the cluster on a cloud provider account owned and managed by EDB. From 2e9c7581ada7065d1652f27804b6baed24589b99 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Mon, 17 Jun 2024 10:46:14 +0200 Subject: [PATCH 12/16] fixed indentation --- .../creating_a_cluster/index.mdx | 88 +++++++++---------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index fef9acb8e7c..a9e1ade4671 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -237,61 +237,61 @@ After you create the cluster in the BigAnimal console, the UI will display the *
AWS - 1. Copy the **Principal** identifier to your clipboard. - 1. Go to the AWS console, and navigate to the **Key Management Service** - 1. Select **Customer-managed keys**, and **Edit policy** for your key. - 1. Append a new policy statement where the `Principal.AWS` field equals the **Principal** identifier you copied to your clipboard and where the `Principal.Action` field contains **kms:Encrypt** and **kms:Decrypt** permissions. + 1. Copy the **Principal** identifier to your clipboard. + 1. Go to the AWS console, and navigate to the **Key Management Service** + 1. Select **Customer-managed keys**, and **Edit policy** for your key. + 1. Append a new policy statement where the `Principal.AWS` field equals the **Principal** identifier you copied to your clipboard and where the `Principal.Action` field contains **kms:Encrypt** and **kms:Decrypt** permissions. - This example contains the default AWS policy statement and the BigAnimal policy statement that corresponds to the TDE configuration. - - ``` - { - "Version": "2012-10-17", - "Id": "key-consolepolicy-3", - "Statement": [ - { - "Sid": "Enable IAM User Permissions", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::142348057180:root" - }, - "Action": "kms:*", - "Resource": "*" - }, - { - "Sid": "Enable TDE on cluster ExampleCluster", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::142348057180:role/ba-vcvolsnap0ZUPsgZ-us-east-1-p-k2nxxtndkg" - }, - "Action": [ - "kms:Encrypt", - "kms:Decrypt" - ], - "Resource": "*" - } - ] - } + This example contains the default AWS policy statement and the BigAnimal policy statement that corresponds to the TDE configuration. + + ``` + { + "Version": "2012-10-17", + "Id": "key-consolepolicy-3", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::142348057180:root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Sid": "Enable TDE on cluster ExampleCluster", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::142348057180:role/ba-vcvolsnap0ZUPsgZ-us-east-1-p-k2nxxtndkg" + }, + "Action": [ + "kms:Encrypt", + "kms:Decrypt" + ], + "Resource": "*" + } + ] + }
GCP - 1. Copy the **service account** to your clipboard. - 1. Go to the Google Cloud console, select **Security**, **VIEW BY PRINCIPALS**, **GRANT ACCESS** for your key. - 1. Paste the service account into the **New principals** field. - 1. Assign the `Cloud KMS CryptoKey Decrypter` and `Cloud KMS CryptoKey Encrypter` roles and save. + 1. Copy the **service account** to your clipboard. + 1. Go to the Google Cloud console, select **Security**, **VIEW BY PRINCIPALS**, **GRANT ACCESS** for your key. + 1. Paste the service account into the **New principals** field. + 1. Assign the `Cloud KMS CryptoKey Decrypter` and `Cloud KMS CryptoKey Encrypter` roles and save.
Azure - 1. Copy the **MSI Workload Identity** to your clipboard. - 1. Got to the Microsoft Azure console, and navigate to **Key vaults**. - 1. Select the key, go to **Access configuration** and set the **Permission model** to **Vault access policy**. - 1. Select **Access policies**, and **Create**. - 1. In **Permissions**, select **Encrypt** and **Decrypt**. - 1. In **Principal**, paste the MSI Workload Identity you copied to your clipboard and finish creating the policy. + 1. Copy the **MSI Workload Identity** to your clipboard. + 1. Got to the Microsoft Azure console, and navigate to **Key vaults**. + 1. Select the key, go to **Access configuration** and set the **Permission model** to **Vault access policy**. + 1. Select **Access policies**, and **Create**. + 1. In **Permissions**, select **Encrypt** and **Decrypt**. + 1. In **Principal**, paste the MSI Workload Identity you copied to your clipboard and finish creating the policy.
From 8ea7bcf9c0a2e2dcb5bb61753b76d0da2b318552 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Mon, 17 Jun 2024 10:52:28 +0200 Subject: [PATCH 13/16] fixed code snippet --- .../release/getting_started/creating_a_cluster/index.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index a9e1ade4671..30ea50dcecd 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -272,7 +272,8 @@ After you create the cluster in the BigAnimal console, the UI will display the * } ] } - + ``` +
GCP From abd7e50138c927811808c67425ced50677af5b4c Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Mon, 17 Jun 2024 16:50:29 +0200 Subject: [PATCH 14/16] Apply suggestions from code review Generalized AWS Principal statement to contain generic info. Co-authored-by: Gabriele Fedi <91485518+GabriFedi97@users.noreply.github.com> --- .../release/getting_started/creating_a_cluster/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx index 30ea50dcecd..16b20366ee9 100644 --- a/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx +++ b/product_docs/docs/biganimal/release/getting_started/creating_a_cluster/index.mdx @@ -253,7 +253,7 @@ After you create the cluster in the BigAnimal console, the UI will display the * "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::142348057180:root" + "AWS": "arn:aws:iam:::root" }, "Action": "kms:*", "Resource": "*" @@ -262,7 +262,7 @@ After you create the cluster in the BigAnimal console, the UI will display the * "Sid": "Enable TDE on cluster ExampleCluster", "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::142348057180:role/ba-vcvolsnap0ZUPsgZ-us-east-1-p-k2nxxtndkg" + "AWS": "arn:aws:iam:::role/" }, "Action": [ "kms:Encrypt", From 9b2dadaa679f23aad3b21cf98afe08261c950e7f Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Mon, 17 Jun 2024 16:52:29 +0200 Subject: [PATCH 15/16] Apply suggestions from code review More explicit statement around unsupported backing up/restoring use cases --- .../release/using_cluster/05a_deleting_your_cluster.mdx | 2 +- .../docs/biganimal/release/using_cluster/managing_replicas.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/product_docs/docs/biganimal/release/using_cluster/05a_deleting_your_cluster.mdx b/product_docs/docs/biganimal/release/using_cluster/05a_deleting_your_cluster.mdx index 31e61ee9a7a..60515e3fa64 100644 --- a/product_docs/docs/biganimal/release/using_cluster/05a_deleting_your_cluster.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/05a_deleting_your_cluster.mdx @@ -32,5 +32,5 @@ You can restore your deleted cluster for as long as the backup is available. !!! note To restore a TDE-enabled cluster, the TDE key material must match the source cluster encryption key material. If a different key material is used, the restore operation will fail. -Do not to enable TDE when restoring a non-TDE cluster. +EDB does not support enabling TDE when restoring a non-TDE cluster. !!! diff --git a/product_docs/docs/biganimal/release/using_cluster/managing_replicas.mdx b/product_docs/docs/biganimal/release/using_cluster/managing_replicas.mdx index fd20b0def62..f3b0bf35ce4 100644 --- a/product_docs/docs/biganimal/release/using_cluster/managing_replicas.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/managing_replicas.mdx @@ -54,7 +54,7 @@ You can create faraway replicas in any active regions in your cloud. There's no !!!Note The TDE key material for faraway replicas must be the same as the primary cluster encryption key. If you use different key material, the cluster provisioning will fail. - Do not to enable TDE when restoring a non-TDE faraway replica cluster. + EDB does not support enabling TDE when restoring non-TDE faraway replica clusters. !!! 1. To turn on the ability to log in to Postgres using your AWS IAM credentials, enable Identity and Access Management (IAM) Authentication. See [Access](/biganimal/latest/getting_started/creating_a_cluster/#access). From 62e2a9752293503177614e8788b4cb076c8228f4 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Tue, 25 Jun 2024 12:15:35 +0200 Subject: [PATCH 16/16] GCP key note --- .../biganimal/release/administering_cluster/projects.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/product_docs/docs/biganimal/release/administering_cluster/projects.mdx b/product_docs/docs/biganimal/release/administering_cluster/projects.mdx index d836d72ad57..b996e91b73e 100644 --- a/product_docs/docs/biganimal/release/administering_cluster/projects.mdx +++ b/product_docs/docs/biganimal/release/administering_cluster/projects.mdx @@ -90,12 +90,12 @@ To delete a project that you created: 1. Select **Add a key**. 1. On the **Add a key** page, select the **Cloud Service Provider**. 1. Select the **Region** for the key. The interface only displays the regions available in the cloud account you configured. - !!! Note - GCP offers the option to configure global keys. If you require a global key, do not select any region. - !!! 1. Complete the remaining fields according to your cloud provider. 1. Select **Add Key** to finalize the configuration. +!!!note Note for GCP keys + If the key you added was created in a different Google Cloud Platform account than the TDE-enabled cluster you want to create, ensure you enable the [Cloud KMS API](https://cloud.google.com/kms/docs/create-encryption-keys#before-you-begin) in the Google console before assigning it to your cluster in BigAnimal. + Now, use this TDE key to [create a cluster](/biganimal/release/getting_started/creating_a_cluster/#security). For more information about TDE support, see [Transparent Data Encryption](../overview/03_security#your-own-encryption-key---transparent-data-encryption-tde)