Thanks @steve.hoffman .
I have a few additional queries below:
-
Does remote (agent-less) monitoring of databases (e.g. PostgreSQL) apply to only AWS RDS instances?
-
Does remote (agent-less) monitoring of databases (e.g. PostgreSQL) apply to PMM client and server installed on Virtual Machines?
-
It was mentioned that currently, the PMM Server’s PostgreSQL DB stores all the plaintext database credentials used by the PMM client(s) to connect to the monitored databases. Are there any workaround solutions available currently to encrypt these sensitive credential data that are stored in the PMM Server’s PostgreSQL DB for security purposes (to mitigate leak of credentials via insider threat)?
-
It was also mentioned that the PMM developer team is currently working on integrating PMM with Hashicorp’s Vault for secure credential management – for this,
a) What is the expected timeline for release?
b) With this new architecture, does it mean that all the credentials used by the PMM Client and/or PMM Server daemon processes can eventually be stored in the enterprise’s Hashicorp’s Vault, and retrieved by PMM daemon processes during runtime?
c) With the new architecture, does it mean that the following statements will be true?:
• These credentials will then no longer be stored inside the PMM Server’s PostgreSQL database.
• None of the databases used by PMM Server will then contain sensitive credentials / data that are stored unencrypted at rest.
• Sensitive credentials will also no longer be stored inside the following yaml file: “usr/local/percona/pmm2/config/pmm-agent.yaml”.
• The deploying company can deploy PMM to integrate with the company’s on-premise enterprise HashiCorp Vault to protect these credentials stored at rest.
• Architecture will be akin to the attached diagram.
Thank you!