Permissions Network access Dependencies S3 buckets

General security

Topics

Permissions
Network access
Dependencies
S3 buckets

Permissions

InfluxDB users should be granted least-privilege permissions. Only tokens granted to specific users, instead of operator tokens, should be used during migration.

Timestream for InfluxDB uses IAM permissions to control user permissions. We recommend users be granted access to the specific actions and resources that they require. For more information, see Grant least privilege access.

Network access

The Influx migration script can function locally, migrating data between two InfluxDB instances on the same system, but it is assumed that the primary use case for migrations will be migrating data across the network, either a local or public network. With this comes security considerations. The Influx migration script will, by default, verify TLS certificates for instances with TLS enabled: we recommend that users enable TLS in their InfluxDB instances and do not use the --skip-verify option for the script.

We recommend you use an allow-list to restrict network traffic to be from sources you are expecting. You can do this by limiting network traffic to the InfluxDB instances only from known IPs.

Dependencies

The latest major versions of all dependencies should be used, including Influx CLI, InfluxDB, Python, the Requests module, and optional dependencies such as mountpoint-s3 and rclone.

S3 buckets

If S3 buckets are used as a temporary storage for migration, we recommend enabling TLS, versioning, and disabling public access.

Using S3 buckets for migration

Open the AWS Management Console, navigate to Amazon Simple Storage Service and then choose Buckets.
Choose the bucket you wish to use.
Choose the Permissions tab.
Under Block public access (bucket settings), choose Edit.
Check Block all public access.
Choose Save changes.
Under Bucket policy, choose Edit.

Enter the following, replacing <example-bucket> with your bucket name, to enforce the use of TLS version 1.2 or later for connections:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnforceTLSv12orHigher",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:*"
            ],
            "Effect": "Deny",
            "Resource": [
                "arn:aws:s3:::<example bucket>/*",
                "arn:aws:s3:::<example bucket>"
            ],
            "Condition": {
                "NumericLessThan": {
                    "s3:TlsVersion": 1.2
                }
            }
        }
    ]
}

Choose Save changes.
Choose the Properties tab.
Under Bucket Versioning, choose Edit.
Check Enable.
Choose Save changes.

For information about Amazon S3 bucket best security practices, see Security best practices for Amazon Simple Storage Service.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Overview

Database authentication with Amazon Timestream for InfluxDB