DataSunrise Achieves AWS DevOps Competency Status in AWS DevSecOps and Monitoring, Logging, Performance

This website stores cookies to collect information about how you interact with our website. To find out more visit our Privacy Policy.

  • Home
  • Guides
  • How to Configure DataSunrise to Mask Data for Amazon Athena

How to Configure DataSunrise to Mask Data for Amazon Athena

How to Migrate DataSunrise CloudFormation Template from Launch Configuration (LC) to Launch Template (LT) Resource in Auto Scaling Group How to Send DataSunrise Events to a Microsoft Teams Channel via Incoming Webhook using Subscribers How To Offload The Audit Database Data To AWS S3 And Read It Using AWS Athena Service How to Convert Trial or BYOL Configuration of DataSunrise to Hourly Billing Backend DB: PostgreSQL (RDS) or Aurora PostgreSQL How to Troubleshoot “Connection Was Terminated” or “Connection Terminated Unexpectedly” Errors in Applications Using DataSunrise Proxies Exploring DataSunrise’s Performance Under High Traffic Conditions DataSunrise’s Approach to Configuring Penalties for SQL Injection Detection How to Block Specific Hosts in DataSunrise for Enhanced Database Security Troubleshooting AWS Metering and Hourly Billing Issues in DataSunrise on AWS Marketplace Cloud Formation Modification Dynamic Data Masking with DataSunrise: Masking with Lua scripts How to Choose the Database for Audit Storage: A Performance Analysis How to Run pgbench Through DataSunrise Proxy on PostgreSQL 14 with SCRAM Authentication DataSunrise SSO Authentication Based on SAML (Okta) DataSunrise SSO Authentication Based on OpenID (Okta) How to Search for Sensitive Data in Images Hosted on AWS S3 How to Deploy DataSunrise with Terraform Template on Azure How to Integrate DataSunrise with SQL Server Always On Cluster How to Deploy DataSunrise in Microsoft Azure Using Azure Resource Manager How to Perform DataSunrise Static Data Masking for MongoDB How to Configure DB Audit Trailing for MS Azure MySQL How to Configure DB Audit Trailing for MS Azure PostgreSQL How to Configure DataSunrise to Mask Data for Amazon Athena How to Upgrade RHEL OS version of existing DataSunrise servers How to Integrate DataSunrise with AWS Database Activity Streams for Getting Auditing Results for AWS Aurora PostgreSQL How to Set Up SSL Certificates for DataSunrise Database Proxy Generating Reports in DataSunrise How to Hide Schemas From Users in Redshift AWS RDS PostgreSQL Audit Logs in DataSunrise How to Audit Administrative Actions in Your Oracle RDS and EC2 How to Check if DataSunrise Receives Traffic How To Remove a Procedure or a Function From a Database

We expand our opportunities by introducing Dynamic Masking for Amazon Athena. Now you can obfuscate sensitive data from Athena on-the-fly to protect it from unauthorized persons.

Client applications use an encrypted connection to connect to Athena. DataSunrise can mask data in Athena only in Proxy mode. One secure connection is split into two at that: from a client application to DataSunrise and from DataSunrise to Athena. At the same time, it verifies the server’s certificate. If this certificate is self-signed, some applications may consider a connection insecure and reject it.

DataSunrise by default has a self-signed SSL certificate used to establish an encrypted connection between a client application and a DataSunrise proxy.

There are two options for a connection to Athena via a DataSunrise proxy:

  • Use DataSunrise’s self-signed certificate;
  • Use a properly signed SSL certificate from a certain Certification Authority.

If a certificate is authentic, a connection will be established. Otherwise, it will be considered by a client application as a man-in-the-middle attack and the connection will not be established unless the client application is properly configured. In this article, we will review this process using DBeaver as an example.

Creating Instance for Amazon Athena

First, you need to create an Instance for Athena in DataSunrise. This is necessary to create a database profile. The beginning is the same for every database: just input connection details for your Athena. Note that query results are stored in S3 buckets, so you need to specify an S3 bucket in the Query Result Location field.

Below, in the Capture Mode section, you need to select Proxy. In the Proxy Keys field select Create New to generate a new SSL Key Group and attach it to your proxy.

After that click Save.

Import Certificate into Keystore

Do the following:

  • After attaching a new SSL Key Group to your proxy in DataSunrise, navigate to Configuration → SSL Key Groups. Locate your SSL Key Group in the list and open it, copy the Certificate from the corresponding field into a text file. For example, create a file with the name dsca.crt and paste the certificate there. Put the file in C:\athena folder.
  • Run the command line as administrator and navigate to your DBeaver installation folder. For example C:\Program Files\DBeaver\jre\bin\.
  • Add your Athena certificate to cacerts which is located in C:\Program Files\DBeaver\jre\lib\security. For example:
    keytool.exe -importcert -trustcacerts -alias dsca -v -keystore "C:/Program Files/DBeaver/jre/lib/security/cacerts" -file "C:/athena/dsca.crt" -storepass changeit

Setting up and Running DBeaver

As far as we use DBeaver to be able to send queries to Athena via the DataSunrise proxy, you need to locate the dbeaver.ini file in your DBeaver installation folder and open it with a text editor. Add the following lines to the end of the file:

-Djavax.net.ssl.trustStore=<jks_file_path>
-Djavax.net.ssl.trustStorePassword=<jks_file_password>

For example:

-Djavax.net.ssl.trustStore=C:/Program Files/Java/jdk-11.0.1/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit

Run DBeaver with the following parameters (example):

dbeaver.exe -vm "C:\Program Files\DBeaver\jre\bin" -vmargs -Djavax.net.ssl.trustStore="C:\Program Files\DBeaver\jre\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword=changeit

Connecting Through the Proxy with DBeaver

Configure a connection to your Athena via the DataSunrise proxy. At the Driver properties tab, set ProxyHost and ProxyPort according to your Athena proxy’s settings.

Then test the connection. Now you should be able to connect to your Athena via the DataSunrise proxy.



Configuring Dynamic Masking

Having configured a proxy, you can create a Dynamic Masking Rule for Athena. This process is easy and is applicable to every database.

Below is an example of a table with real data and masked email addresses respectively:



Also, DataSunrise supports unstructured data masking for Athena due to NLP (Natural Language Processing). Unstructured masking enables you to mask sensitive data in any form and format. For example, it can be a Word document or a PDF file. Sensitive data will be masked with asterisks (*).

Dynamic Masking for Athena is based on query result sets modification. It means that a database receives an original query and returns original data too. Masking performs when the data is going through a DataSunrise proxy, and the client will get obfuscated sensitive data after that.

Did this guide help you?

Contact Us