Database User Management Automation
Automated database user management system that handles user permissions across multiple RDS Aurora clusters and AWS accounts using Lambda functions,[...]
Automated database user management system that handles user permissions across multiple RDS Aurora clusters and AWS accounts using Lambda functions, EventBridge, and MySQL automation.
Table of Contents
Project Overview
Managing database user permissions manually across multiple RDS clusters becomes complex and error-prone as organizations scale. This project implements an automated solution that manages database users, permissions, and access control across multiple Aurora MySQL clusters and AWS accounts.
Architecture
The solution leverages several AWS services:
| Technology | Purpose |
| AWS Lambda | Executes logic |
| AWS EventBridge | Watches for event changes |
| AWS RDS Aurora | Hosts the databases |
| AWS Parameter Store | Stores overall configuration |
| AWS Secrets Manager | Stores admin database credentials for management |
| AWS IAM | AWS Resource permissions |
| Python Boto3 | AWS API Interactions |
| MySQL | Database actions |
Key Features
Automated User Lifecycle Management
| Non Functional Requirement | Description |
| User Creation | The tool is idempotent |
| Permission Assignment | The tool will assign appropriate role based permissions from configuration. This includes downgrading permissions as well as elevating them |
| User Deactivation | If a user isn't in configuration when the tool is run, it should remove the user |
Multi-Account Support
- Cross-account user management
- Centralized control plane
- Consistent user naming conventions
Security and Compliance
- Least-privilege access principles
- Audit logging of all user operations
- Centralized SSO based authentication
- Role-based permission inheritance
Implementation Details
Event-Driven Architecture
The system responds to updates to SSM Parameter store updates.
Lambda Function Design
The core Lambda function handles:
- Reading json configuration for all users in SSM Parameter Store
- Connecting to each database in it's account
- Listing all users with specified naming convention
- Comparing configuration to database status
- Adding/Deleting/Modifying state in DB's according to configuration
Database Connection Management
def connect_to_database(db_connection_data: dict) -> mysql.connector.connect:
"""
Connect to the target database
Parameters:
db_connection_data (dict): The connection data for the target database
db_connection_data.host = string
db_connection_data.user = string
db_connection_data.pass = string
db_connection_data.name = string
"""
try:
connection = mysql.connector.connect(
host=db_connection_data['host'],
user=db_connection_data['user'],
password=db_connection_data['pass'],
database=db_connection_data['name']
)
logger.info(f"DB CONNECTION: {connection}")
return connection
except mysql.connector.Error as e:
logger.error(f"ERROR: Unexpected error: Could not connect to Serverless {db_connection_data['db_name']} MySQL instance.")
logger.error(e)
sys.exit()def get_secret_value(secret_arn: str, json_key: str) -> str:
"""
Get a secret value from AWS Secrets Manager
parameters:
secret_arn (str): The ARN of the secret in Secrets Manager
json_key (str): The key in the JSON object to retrieve
returns:
str: The value of the key in the JSON object
"""
logger.info(f'Getting secret value for {secret_arn}, key: {json_key}')
try:
response = sm_client.get_secret_value(
SecretId=secret_arn
)
raw_secret = response.get('SecretString')
secret_json = json.loads(raw_secret)
return secret_json[json_key]
except Exception as e:
logger.error(f"ERROR: Unexpected error: Could not retrieve for {secret_arn}. Maybe the key {json_key} does not exist.")
logger.error(e)
sys.exit()Permission Templates
Standardized permission sets based on role types:
# Define the permissions for each role
permissions = {
'read': 'SELECT',
'write': 'SELECT, INSERT, UPDATE',
'admin': 'SELECT, INSERT, UPDATE, DELETE, CREATE, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE, EVENT, TRIGGER',
'trusted_admin': 'ALL PRIVILEGES'
}Technical Implementation
Cross-Account Access
The system uses cross-account IAM roles to manage users across multiple AWS accounts:
- Central management account assumes roles in target accounts
- Target account roles have necessary RDS permissions
- Database operations performed with Secrets Manager managed role credentials
- Audit trail maintained in central logging account
Database User Naming Convention
Users follow a consistent naming pattern: ```<company-prefix>_<username> ```
This ensures:
- Easy identification of user origin
- No naming conflicts across non-managed accounts
Error Handling and Monitoring
- Comprehensive error logging
- CloudWatch metrics for operational visibility
- SNS notifications for critical failures
Results and Impact
Operational Benefits
- Massive in manual database user management tasks
- Consistent permissions across all database clusters
- Automated compliance with access control policies
Security Improvements
- Eliminated shared database accounts
- Implemented least-privilege access
- Automated access removal for departed employees
- Complete audit trail of database access changes
Scalability
- Supports unlimited RDS clusters
- Handles multiple AWS accounts seamlessly
- Scales automatically with Lambda
- Minimal infrastructure maintenance required
Monitoring and Alerting
The system includes comprehensive monitoring:
- CloudWatch Dashboards for operational metrics
- Alarm notifications for failures
- Cost monitoring for resource efficiency
This project demonstrates how serverless technologies can automate complex database management tasks while maintaining security and compliance requirements across multiple AWS accounts and environments.