General security - Amazon Timestream

General security

Permissions

InfluxDB users should be granted least-privilege permissions. Only tokens granted to specific users, instead of operator tokens, should be used during migration.

Timestream for InfluxDB uses IAM permissions to control user permissions. We recommend users be granted access to the specific actions and resources that they require. For more information, see Grant least privilege access.

Secrets

InfluxDB operator tokens are generated on instance setup; other kinds of tokens, such as all-access and read/write tokens, can be created using the Influx CLI or Influx v2 API. See Manage API tokens for how to generate, view, assign, and delete tokens.

We recommend that users rotate tokens often using AWS Secrets Manager and store tokens via environment variables, for example, the INFLUX_SRC_TOKEN and INFLUX_DEST_TOKEN environment variables required for migration.

Network access

The Influx migration script can function locally, migrating data between two InfluxDB instances on the same system, but it is assumed that the primary use case for migrations will be migrating data across the network, either a local or public network. With this comes security considerations. The Influx migration script will, by default, verify TLS certificates for instances with TLS enabled: we recommend that users enable TLS in their InfluxDB instances and do not use the --skip-verify option for the script.

We recommend you use an allow-list to restrict network traffic to be from sources you are expecting. You can do this by limiting network traffic to the InfluxDB instances only from known IPs.

Dependencies

The latest major versions of all dependencies should be used, including Influx CLI, InfluxDB, Python, the Requests module, and optional dependencies such as mountpoint-s3 and rclone.

S3 buckets

If S3 buckets are used as a temporary storage for migration, we recommend enabling TLS, versioning, and disabling public access.

Using S3 buckets for migration
  1. Open the AWS Management Console, navigate to Amazon Simple Storage Service and then choose Buckets.

  2. Choose the bucket you wish to use.

  3. Choose the Permissions tab.

  4. Under Block public access (bucket settings), choose Edit.

  5. Check Block all public access.

  6. Choose Save changes.

  7. Under Bucket policy, choose Edit.

  8. Enter the following, replacing <example-bucket> with your bucket name, to enforce the use of TLS version 1.2 or later for connections:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceTLSv12orHigher", "Principal": { "AWS": "*" }, "Action": [ "s3:*" ], "Effect": "Deny", "Resource": [ "arn:aws:s3:::<example bucket>/*", "arn:aws:s3:::<example bucket>" ], "Condition": { "NumericLessThan": { "s3:TlsVersion": 1.2 } } } ] }
  9. Choose Save changes.

  10. Choose the Properties tab.

  11. Under Bucket Versioning, choose Edit.

  12. Check Enable.

  13. Choose Save changes.

For information about Amazon S3 bucket best security practices, see Security best practices for Amazon Simple Storage Service.