For similar capabilities to Amazon Timestream for LiveAnalytics, consider Amazon Timestream for InfluxDB. It offers simplified data ingestion and single-digit millisecond query response times for real-time analytics. Learn more [here](https://docs.amazonaws.cn//timestream/latest/developerguide/timestream-for-influxdb.html). # Overview Overview This documentation helps you understand how to apply the [shared responsibility model](https://www.amazonaws.cn/compliance/shared-responsibility-model/) when using Amazon Timestream for InfluxDB. The following topics show you how to configure Amazon Timestream for InfluxDB to meet your security and compliance objectives. You also learn how to use other Amazon services that help you monitor and secure your Amazon Timestream for InfluxDB resources. You can manage access to your Amazon Timestream for InfluxDB resources and your databases on a DB instance. The method you use to manage access depends on what type of task the user needs to perform with Amazon Timestream for InfluxDB: + Run your DB instance in a Virtual Private Cloud (VPC) based on the Amazon VPC service for network access control. + Use Amazon Identity and Access Management (IAM) policies to assign permissions that determine who is allowed to manage Amazon Timestream for InfluxDB resources. For example, you can use IAM to determine who is allowed to create, describe, modify, and delete DB instances, tag resources, or modify security groups. + Use security groups to control what IP addresses or Amazon EC2 instances can connect to your databases on a DB instance. When you first create a DB instance, it's only accessible through rules specified by an associated security group. + Use Secure Socket Layer (SSL) or Transport Layer Security (TLS) connections with your DB instances. + Use the security features of your InfluxDB engine to control who can log in to the databases on a DB instance. These features work just as if the database was on your local network. For more information, see [Security in Timestream for InfluxDB](security-timestream-for-influxdb.md). **Note** You have to configure security only for your use cases. You don't have to configure security access for processes that Amazon Timestream for InfluxDB manages. These include creating backups, replicating data between a primary DB instance and a read replica, and other processes. **Topics** + [ # General security ](timestream-for-influx-getting-started-security.md) # General security General security **Topics** + [ ## Permissions ](#timestream-for-influx-getting-started-security-permissions) + [ ## Network access ](#timestream-for-influx-getting-started-security-network-access) + [ ## Dependencies ](#timestream-for-influx-getting-started-security-dependencies) + [ ## S3 buckets ](#timestream-for-influx-getting-started-security-s3-buckets) ## Permissions Permissions InfluxDB users should be granted least-privilege permissions. Only tokens granted to specific users, instead of operator tokens, should be used during migration. Timestream for InfluxDB uses IAM permissions to control user permissions. We recommend users be granted access to the specific actions and resources that they require. For more information, see [Grant least privilege access](https://docs.amazonaws.cn/wellarchitected/2022-03-31/framework/sec_permissions_least_privileges.html). ## Network access Network access The Influx migration script can function locally, migrating data between two InfluxDB instances on the same system, but it is assumed that the primary use case for migrations will be migrating data across the network, either a local or public network. With this comes security considerations. The Influx migration script will, by default, verify TLS certificates for instances with TLS enabled: we recommend that users enable TLS in their InfluxDB instances and do not use the `--skip-verify` option for the script. We recommend you use an allow-list to restrict network traffic to be from sources you are expecting. You can do this by limiting network traffic to the InfluxDB instances only from known IPs. ## Dependencies Dependencies The latest major versions of all dependencies should be used, including Influx CLI, InfluxDB, Python, the Requests module, and optional dependencies such as `mountpoint-s3` and `rclone`. ## S3 buckets S3 buckets If S3 buckets are used as a temporary storage for migration, we recommend enabling TLS, versioning, and disabling public access. **Using S3 buckets for migration** 1. Open the Amazon Web Services Management Console, navigate to **Amazon Simple Storage Service** and then choose **Buckets**. 1. Choose the bucket you wish to use. 1. Choose the **Permissions** tab. 1. Under **Block public access (bucket settings)**, choose **Edit**. 1. Check **Block all public access**. 1. Choose **Save changes**. 1. Under **Bucket policy**, choose **Edit**. 1. Enter the following, replacing ** with your bucket name, to enforce the use of TLS version 1.2 or later for connections: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "EnforceTLSv12orHigher", "Principal": { "AWS": "*" }, "Action": [ "s3:*" ], "Effect": "Deny", "Resource": [ "arn:aws-cn:s3:::/*", "arn:aws-cn:s3:::" ], "Condition": { "NumericLessThan": { "s3:TlsVersion": 1.2 } } } ] } ``` ------ 1. Choose **Save changes**. 1. Choose the **Properties** tab. 1. Under **Bucket Versioning**, choose **Edit**. 1. Check **Enable**. 1. Choose **Save changes**. For information about Amazon S3 bucket best security practices, see [Security best practices for Amazon Simple Storage Service](https://docs.amazonaws.cn/AmazonS3/latest/userguide/security-best-practices.html).