AWS SSM - Hoop.dev - the only access gateway with data masking

Before you start

To get the most out of this guide, you will need to:

Either create an account in our managed instance or deploy your own hoop.dev instance
You must be your account administrator to perform the following commands

Features

The table below outlines the features available for this type of connection.

Native - This refers to when a database client connects through a specific protocol, such as an IDE or client libraries through hoop connect <connection-name>.
One Off - This term refers to accessing this connection from hoop web panel.

Feature	Native	One Off	Description
TLS Termination Proxy			The local proxy terminates the connection with TLS, enabling the connection with the remote server to be TLS encrypted.
Audit			The gateway stores and audits the queries being issued by the client.
Data Masking (Google DLP)			A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.
Data Masking (MS Presidio)			A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.
Guardrails			An intelligent layer of protection with smart access controls and monitoring mechanisms.
Credentials Offload			The user authenticates via SSO instead of using database credentials.
Interactive Access			Interactive access is available when using an IDE or connecting via a terminal to perform analysis exploration.

Configuration

Name	Type	Required	Description
AWS_ACCESS_KEY_ID	env-var	no	The AWS access key id value
AWS_SECRET_ACCESS_KEY	env-var	no	The AWS secret access key value
AWS_REGION	env-var	no	The AWS region to issue commands
PIPE_EXEC	env-var	no	The runtime command to be executed when running ad-hoc commands via Web Console. It defaults to /bin/bash
INSTANCE_ID	env-var	no	The EC2 instance id to use when starting an interactive shell session. Add this value if you want to prevent users from specifying which instance to connect to.

Credentials Setup

This connection can use AWS credentials which could be loaded from EC2 instance roles or environment variables provided directly in the connection. Make sure to add the following IAM permissions to the user or role that will be used to connect to EC2 instances via SSM:

ssm:StartSession * ssm:SendCommand * ssm:ListCommandInvocations * ssm:GetCommandInvocation * ssm:DescribeSessions * ssm:TerminateSession

Command Line Usage Examples

Start interactive session with a specific instance:

  hoop connect aws-ssm -e INSTANCE_ID=i-0d1a333276d48ec0d

If you don’t want users to specify the instance id when starting an interactive session, you can set the `INSTANCE_ID` environment variable in the connection credentials.

Execute ad-hoc commands on a specific instance:

If PIPE_EXEC is set to /bin/bash (default), you can run:

  hoop exec aws-ssm <<EOF
  # instance-id=i-0d1a333276d48ec0d
  ls -l
  EOF

If PIPE_EXEC is set to python, you can run:

  hoop exec aws-ssm <<EOF
  # instance-id=i-0d1a333276d48ec0d
  import os
  print('Hello From Python!')
  EOF

Documentation Index

Before you start

Features

Configuration

​Credentials Setup

​Command Line Usage Examples

Credentials Setup

Command Line Usage Examples