Connect AnomalyArmor to any PostgreSQL-compatible database. This guide covers self-hosted PostgreSQL as well as managed services like Amazon RDS, Aurora, and Supabase.
Platform Minimum Version Notes PostgreSQL 12+ Self-hosted or any cloud Amazon RDS 12+ All instance classes Amazon Aurora PostgreSQL 12+ Cluster and serverless Supabase Any Direct connection or pooler Google Cloud SQL 12+ Public or private IP Azure Database 12+ Single server or flexible Heroku Postgres Any Requires SSL
Connection Settings Field Description Example Connection Name Friendly identifier Production PostgreSQLHost Hostname or IP address db.example.comPort Database port 5432Database Database name myapp_productionUsername Database user anomalyarmorPassword User password ••••••••SSL Mode SSL configuration require
SSL Mode Options Mode Description When to Use disableNo SSL Local development only requireSSL required, no verification Recommended for most cloud providersverify-caVerify server certificate High security requirements verify-fullVerify certificate and hostname Maximum security
Never use disable for production databases. Most cloud providers (RDS, Aurora, Supabase) require SSL.
Creating a Read-Only User Create a dedicated user with minimal permissions.
-- Create the user CREATE USER anomalyarmor WITH PASSWORD 'your-secure-password' ; -- Grant connection access GRANT CONNECT ON DATABASE your_database TO anomalyarmor; -- Grant schema access (repeat for each schema) GRANT USAGE ON SCHEMA public TO anomalyarmor; GRANT USAGE ON SCHEMA analytics TO anomalyarmor; -- Grant read access to existing tables GRANT SELECT ON ALL TABLES IN SCHEMA public TO anomalyarmor; GRANT SELECT ON ALL TABLES IN SCHEMA analytics TO anomalyarmor; -- Grant access to future tables (recommended) ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO anomalyarmor; ALTER DEFAULT PRIVILEGES IN SCHEMA analytics GRANT SELECT ON TABLES TO anomalyarmor;
Verifying Permissions Test that the user can access metadata:
-- Should return tables SELECT table_name FROM information_schema . tables WHERE table_schema = 'public' LIMIT 5 ; -- Should return columns SELECT column_name, data_type FROM information_schema . columns WHERE table_schema = 'public' LIMIT 5 ;
Provider-Specific Instructions Amazon RDS
Amazon Aurora
Supabase
Self-Hosted
Google Cloud SQL
Amazon RDS PostgreSQL Connection Details :
Host : Your RDS endpoint (e.g., mydb.abc123.us-east-1.rds.amazonaws.com)Port : 5432 (default)SSL Mode : require Security Group Configuration :
Go to AWS Console → RDS → Your Instance → Security Groups
Edit inbound rules
Add rule:
Type: PostgreSQL
Port: 5432
Source: AnomalyArmor IPs (see Settings → Security)
┌────────────────────────────────────────────────────────────┐ │ Security Group: sg-abc123 │ ├────────────────────────────────────────────────────────────┤ │ Inbound Rules │ │ ────────────── │ │ PostgreSQL │ TCP │ 5432 │ 34.xxx.xxx.xxx/32 │ AnomalyArmor│ │ PostgreSQL │ TCP │ 5432 │ 34.xxx.xxx.xxx/32 │ AnomalyArmor│ └────────────────────────────────────────────────────────────┘
Parameter Group (if using verify-ca or verify-full):
Ensure rds.force_ssl = 1
Download RDS CA certificate bundle
RDS instances in private subnets require NAT Gateway or VPC peering for AnomalyArmor access. Contact us for Enterprise VPC peering options.
Amazon Aurora PostgreSQL Connection Details :
Host : Cluster endpoint (reader or writer)Port : 5432 (default)SSL Mode : require Choosing the Right Endpoint :Endpoint Use Case Cluster (writer) If you need real-time schema changes Reader Recommended - no impact on production writes
Aurora Cluster: mydb-cluster ├── Writer: mydb-cluster.cluster-abc123.us-east-1.rds.amazonaws.com └── Reader: mydb-cluster.cluster-ro-abc123.us-east-1.rds.amazonaws.com ↑ Use this for monitoring
Aurora Serverless v2 :
Use the cluster endpoint
Ensure minimum ACU allows connections during discovery
Consider scheduling discovery during active hours
Supabase PostgreSQL Connection Options :Method Host Port When to Use Direct db.xxx.supabase.co5432Standard setup Pooler (Transaction) xxx.pooler.supabase.com5432High connection limits Pooler (Session) xxx.pooler.supabase.com6543If direct fails
Finding Your Credentials :
Go to Supabase Dashboard → Settings → Database
Copy the connection string or individual fields
Use the database password (not the API key)
SSL Configuration :
SSL Mode: require
Supabase enforces SSL by default
Don’t use the Supabase API key as the password. Use the actual database password from Settings → Database.
Self-Hosted PostgreSQL Connection Details :
Host : Your server’s hostname or IPPort : 5432 (or custom port)SSL Mode : Depends on your setup Firewall Configuration :Allow inbound connections from AnomalyArmor IPs: # iptables example iptables -A INPUT -p tcp --dport 5432 -s 34.xxx.xxx.xxx -j ACCEPT iptables -A INPUT -p tcp --dport 5432 -s 34.xxx.xxx.xxx -j ACCEPT
pg_hba.conf Configuration :Add entries for AnomalyArmor: # TYPE DATABASE USER ADDRESS METHOD hostssl all anomalyarmor 34.xxx.xxx.xxx/32 scram-sha-256 hostssl all anomalyarmor 34.xxx.xxx.xxx/32 scram-sha-256
SSL Setup (if not already configured):# Generate self-signed certificate (for testing) openssl req -new -x509 -days 365 -nodes \ -out server.crt -keyout server.key # Set permissions chmod 600 server.key chown postgres:postgres server.key server.crt # Enable in postgresql.conf ssl = on ssl_cert_file = '/path/to/server.crt' ssl_key_file = '/path/to/server.key'
Google Cloud SQL for PostgreSQL Connection Methods :Method Description Public IP Add AnomalyArmor IPs to authorized networks Cloud SQL Proxy For private IP instances (self-managed)
Public IP Setup :
Go to Cloud Console → SQL → Your Instance → Connections
Under Authorized Networks , click Add Network
Add each AnomalyArmor IP
Connection Details :
Host : Public IP from instance overviewPort : 5432SSL Mode : require Cloud SQL requires SSL by default. If you need verify-ca, download the server certificate from the instance details.
Connection Pooling Considerations If you use a connection pooler (PgBouncer, Pgpool):
PgBouncer
Transaction mode : Works with AnomalyArmorSession mode : Recommended for best compatibilityStatement mode : May have issues with complex queries
┌─────────────────────────────────────────────────────────────┐ │ Recommended: Connect directly to PostgreSQL, not through │ │ PgBouncer, unless you have connection limit constraints. │ └─────────────────────────────────────────────────────────────┘
Connection Limits AnomalyArmor uses 1-2 connections during discovery. If you’re near your connection limit:
Use a read replica for monitoring
Schedule discovery during off-peak hours
Increase max_connections if possible
What We Query AnomalyArmor runs these types of queries:
-- Tables and views SELECT * FROM information_schema . tables WHERE table_schema NOT IN ( 'pg_catalog' , 'information_schema' ); -- Columns SELECT * FROM information_schema . columns WHERE table_schema NOT IN ( 'pg_catalog' , 'information_schema' ); -- Constraints SELECT * FROM information_schema . table_constraints ; -- Freshness (for timestamp columns) SELECT MAX (your_timestamp_column) FROM your_table;
Impact : Minimal. These are lightweight metadata queries.Troubleshooting
Causes :
Firewall blocking the connection
Wrong hostname or port
Database not running
Solutions :
Verify AnomalyArmor IPs are allowlisted
Check security group rules (for RDS/Aurora)
Test connectivity: nc -zv hostname 5432
Verify database is accepting connections
Password authentication failed
Causes :
Wrong password
User doesn’t exist
pg_hba.conf not configured
Solutions :
Verify password (copy-paste to avoid typos)
Confirm user exists: SELECT usename FROM pg_user;
Check pg_hba.conf allows the connection method
Try resetting the password
Causes :
Database requires SSL but connection uses disable
Wrong SSL mode for the server
Solutions :
Set SSL Mode to require
For RDS/Aurora/Supabase: SSL is required
For self-hosted: Enable SSL or allow non-SSL (not recommended)
Permission denied for relation
Causes :
User lacks SELECT permission
Schema permission missing
Solutions :-- Grant schema access GRANT USAGE ON SCHEMA public TO anomalyarmor; -- Grant table access GRANT SELECT ON ALL TABLES IN SCHEMA public TO anomalyarmor;
No tables found in discovery
Causes :
User can’t see tables in information_schema
Schema filter excluding all schemas
Solutions :
Test as the user: SELECT * FROM information_schema.tables LIMIT 5;
Check schema filter settings in AnomalyArmor
Verify tables exist in the expected schemas
Next Steps
Run Discovery Scan your PostgreSQL database
Set Up Alerts Get notified of schema changes
