DataMasque Installation from AWS Marketplace
This guide describes the installation and initial configuration of a DataMasque instance deployed using one of the available DataMasque software products on the AWS Marketplace.
- DataMasque AWS Marketplace software products
- Prerequisites
- Optional configurations
- Provision AWS resources on deployment
- Configuring your DataMasque instance
- Configuring network access to your target databases
- Troubleshooting and maintenance
DataMasque AWS Marketplace software products
DataMasque’s software products in the AWS Marketplace are delivered with
Amazon Machine Images (AMIs).
You may deploy DataMasque application by launching an AWS EC2 instance with a DataMasque AWS Marketplace AMI.
You can view the available DataMasque AMI products available on the AWS Marketplace here.
Free trial product
You may trial DataMasque for free using this DataMasque software product. This product is valid for 30 days from the time you launch your AWS EC2 instance and supports masking up to 1000 rows per table per masking run.
Flexible pricing products
DataMasque offers flexible pricing products with either an hourly price or a fixed monthly price to suit your needs.
You can find the available DataMasque flexible pricing products here.
DataMasque instances deployed using DataMasque’s flexible pricing products allow you to mask data up to the total masked database size quota specified in each pricing product and charged by the defined subscription pricing model, hourly or monthly.
BYOL (bring-your-own-licence) product
You may purchase a licence by contacting sales@datamasque.com for use with your DataMasque instances deployed using the DataMasque (BYOL) product.
Note: refer to the Usage calculation information from the Licensing page for details on estimating the total unique masked database size quota you need.
Prerequisites
AWS account
You will need a valid AWS account in order to deploy a DataMasque instance using one of the available DataMasque software products.
Optional configurations
Static external IP address
If you need a static public IP address to access your DataMasque instance in addition to using your EC2 instance’s private IP address, you will need to attach an Elastic IP address to your DataMasque instance.
DataMasque must also be configured with the Elastic IP addresses that you have associated with your DataMasque instance in order for you to access using the configured Elastic IP addresses. These can be configured with the global Hostnames setting from the Settings page.
Private subnet
It is recommended to deploy you DataMasque instance on a private subnet with appropriate access control.
Host security
Standard security practices should be applied to the DataMasque host EC2. Such best practices include, but are not limited to:
- Restrict access control using security groups or network ACLs
- Host filesystem encryption. Follow this guide to enable filesystem encryption on your EC2 instance.
- Regular OS security patching
- Intrusion detection
- Virus scanning
Enable outbound SMTP traffic
By default, AWS blocks outbound SMTP traffic of all EC2 instances. Follow this link for the steps to allow outbound traffic on port 25 (SMTP) for your DataMasque instance running on an AWS EC2 instance.
IMDS version
By default, both IMDSv1 and IMDSv2 are accessible to the instance. However, a specific version can be enforced by using the AWS CLI to modify the instance metadata. Please refer to the documentation below regarding the configuration of instance metadata:
- Configure instance metadata options for new instances
- Modify instance metadata options for existing instances
Note: When requiring IMDSv2, the hop limit must be set to 2. Otherwise, the instance will not be able to reach the AWS endpoint and obtain the necessary headers to retrieve the required token.
Provisioned AWS resources on deployment
The following AWS resources will be set up in your AWS account after deploying DataMasque using a DataMasque AWS Marketplace AMI.
An EC2 instance
An EC2 instance with your selected instance type will be created to host your DataMasque instance with the following OS configurations:
- Red Hat Enterprise Linux as the base operating system.
- A 40GB root EBS volume.
A security group to allow SSH and HTTPS connectivities
As part of launching your DataMasque EC2 instance, you can choose to create a new security group for the deployment or to use an existing security group available in your account. If you choose to create a new security group for the deployment, the new security group is configured with inbound rules to allow SSH (port 22) and HTTPS (443) from anywhere (0.0.0.0/0) by default. It is important to restrict access and only allow traffic from a set of known IP addresses or security groups to prevent public exposure.
Note: The deployment does not create or use any other public or private AWS resources other than the listed resources in this section.
Configuring your DataMasque instance
Once your AWS EC2 instance is launched and ready for connection, you can access your DataMasque instance from a client web browser
at https://<instance-ip-or-hostname>
.
Follow the Initial Setup guide to complete your installation of DataMasque.
Configuring network access to your target databases
You will need to allow network access between your DataMasque instance and your target databases before executing masking runs against your target databases. Once the network access has been set up, refer to the Database Connections user guide to configure the connection details for your target databases.
Troubleshooting and maintenance
Verifying the DataMasque processes
DataMasque is a fully containerised application and runs in Docker containers. Once the EC2 instance is initiated, you can ssh to the EC2 host to confirm the DataMasque Docker containers are running with the following command:
docker ps --format "table {{.ID}}\t{{.Status}}\t{{.Names}}"
You should see five DataMasque containers listed:
CONTAINER ID STATUS NAMES
60114d0c370d Up 3 minutes datamasque_admin-frontend_1
da8bacfbbe48 Up 3 minutes datamasque_admin-server_1
c9555bf98017 Up 3 minutes datamasque_agent-worker_1
d46296fd5b3b Up 3 minutes datamasque_agent-queue_1
1d5516575e1c Up 3 minutes datamasque_admin-db_1
It is also recommended to monitor the health of your DataMasque instance. Refer to the API documentation for authentication and the health check API endpoint.
Data protection
It is recommended to take regular backups of your DataMasque EC2 instance. It is also recommended to periodically save copies of your Run Logs, as well as Ruleset and Connection configurations.
Upgrading DataMasque
It is recommended that you take backups of all rulesets, connections and uploaded files before upgrading your DataMasque instance.
Download the new DataMasque Docker package from DataMasque Customer Portal.
To upgrade your DataMasque instance, extract the new DataMasque Docker
Compose package, and run the included installation script with the
--upgrade
option:
tar -xvzf datamasque-v<version>.pkg
cd datamasque/<version>/
sudo ./install.sh --upgrade
Restarting DataMasque
To restart the DataMasque Docker containers, run the following command as ec2-user:
sudo docker-compose -f /usr/local/etc/datamasque/docker-compose.yml restart
You can verify that all five DataMasque containers have successfully restarted by running the following command as ec2-user:
sudo docker ps --format "table {{.ID}}\t{{.Status}}\t{{.Names}}"
DataMasque logs
Important DataMasque logs can be extracted from the Docker containers with the following commands as ec2-user:
- To copy the DataMasque web application runner logs to a
<target-file-path>
:
sudo docker cp datamasque_admin-server_1:/files/logs/uwsgi.log <target-file-path>
- To copy the DataMasque web application logs to a
<target-file-path>
:
sudo docker cp datamasque_admin-server_1:/files/logs/django.log <target-file-path>
- To copy the DataMasque masking agent logs to a
<target-file-path>
:
sudo docker cp datamasque_agent-worker_1:/files/logs/celery.log <target-file-path>
Support information
DataMasque provides full product and installation support within 72 hours of making an enquiry. Contact the support team at support@datamasque.com for any enquiries you may have.