The Security Baseline Check feature of Database Autonomy Service (DAS) helps you quickly discover potential security configuration risks in your database instances to improve their security and reliability. This feature helps you find and remediate security risks for instances across different regions and engines. The intuitive scan results allow you to enhance your database security by improving configurations.
Background
-
The Verizon 2023 Data Breach Investigations Report indicates that approximately 50% of database breaches are related to weak passwords and credential stuffing attacks.
-
A report from the Cyberspace Administration of China reveals that in 2023, thousands of databases in China were exposed to risks from unauthorized access and weak passwords. Of the more than 8,000 instances inspected, 11.3% had these issues.
A weak password poses a significantly greater risk if the database instance is exposed to the public internet.
Limitations
-
The database instance must be in one of the following regions:
-
Public cloud
China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Heyuan), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Ulanqab), Indonesia (Jakarta), US (Virginia), US (Silicon Valley), Japan (Tokyo), Germany (Frankfurt), UK (London), Philippines (Manila), Malaysia (Kuala Lumpur), Singapore, and China (Hong Kong).
-
Finance cloud
China (Hangzhou) Finance, China (Shanghai) Finance, China (Beijing) Finance (invitation-only preview), and China (Shenzhen) Finance.
-
-
Only RDS MySQL, PolarDB for MySQL, and PolarDB-X 2.0 instances are supported.
NoteBackup detection is not supported for PolarDB-X 2.0 instances.
Features
Detection scope
-
Database configuration: Checks password policy complexity, whether TDE is enabled, and whether the associated KMS key is available.
-
Network configuration: Checks whitelist-based access control and SSL security configurations.
-
Access control: Checks for weak passwords.
-
Storage: Checks backup settings.
NoteBackups are crucial for disaster recovery from events like accidental data deletion or ransomware attacks.
-
Post-incident security : Checks if audit logs are enabled to provide tracking and forensics capabilities.
Execution mechanism
Immediate check: You can manually trigger on-demand compliance checks at any time.
Check items
|
Check item |
Check rule |
Description |
|
Weak Password |
|
Checks for accounts that use weak passwords. Note
|
|
Whitelist |
|
Checks if IP address whitelists comply with security best practices. Note
A whitelist security risk exists if public access is enabled for the instance and the whitelist is configured with |
|
SSL Certificate |
|
Checks whether SSL encryption is enabled for database connections. |
|
Backup |
|
Checks the creation time of the latest backup set, which depends on the backup policy. Note
|
|
Audit |
|
Checks if audit logs are enabled. |
|
TDE |
|
Checks whether TDE is enabled. |
|
KMS key |
|
Checks if the instance's KMS key is available. Note
If TDE is not enabled, this check item is not applicable. |
Procedure
Log on to the DAS console.
-
In the left-side navigation pane, choose .
-
Initiate Inspection: Click Initiate Inspection. In the dialog box that appears, select the instances you want to inspect, click the arrow icon
to move them to the selected list, and then click OK to start the security inspection.Note-
Before you can run an inspection, you must authorize Security Center on the Instances page.
-
A security inspection can take from several minutes to over half an hour, depending on the number and complexity of your instances. You do not need to wait for the task to complete. You can return to this page to view the results later.
Only RDS MySQL, PolarDB for MySQL, and PolarDB-X instances are supported. You can select up to 30 instances per inspection.
-
-
Review the inspection list: The inspection results are displayed in a list, with one row for each instance.
NoteResults are color-coded for quick identification: red indicates danger, yellow indicates a warning, and green indicates safe.
The list shows the status of each check item: Weak password, Whitelist, SSL certificate, Backup, Audit, TDE, and KMS key. The list also provides basic information such as the task ID, instance ID, database type, region, and inspection time.
-
View details: In the Operation column for a task, click Details to see the full report.
NoteIn the details panel, you can click Inspect Again at the bottom to re-run the inspection for the current instance.
The details panel includes basic information (task ID, instance name, database type, inspection time, and region) and the results for each check item: Weak password, Whitelist, Backup, Audit, SSL certificate, TDE, and KMS key. Each item is tagged with a status such as Safe, Warning, or Not Applicable. Click an item to expand it and view more information.
-
Download results: Click the download icon
in the upper-right corner of the inspection list to download the current results. -
Subscribe to notifications: You can turn on the Subscribe switch in the upper-right corner to receive notifications.
NoteOnce you subscribe, Alibaba Cloud sends security notifications via internal message and SMS for important events.
-
Alibaba Cloud receives or discovers new security threat intelligence.
-
Regulatory authorities such as the Cyberspace Administration of China issue new compliance requirements.
-
-
Remediation suggestions
If the inspection finds risks, use the following suggestions to remediate them:
-
Weak password: Ensure that your database passwords meet complexity standards. This is especially important for databases that are exposed to the public internet.
NoteIf you use RDS MySQL, we recommend that you enable the validate_password plugin. After you change your password, you can use the
SHOW VARIABLES LIKE 'validate_password%'command to check whether the policy is in effect.-
Must be 8 to 32 characters in length.
-
Must contain characters from at least three of the following types: uppercase letters, lowercase letters, digits, and special characters.
-
The supported special characters are
!@#$%^&*()_+-=. -
For instructions on how to change passwords, see the following topics:
-
-
Whitelist: Prioritize fixing whitelist settings for databases exposed to the public internet. Remove unnecessary IP addresses to ensure that only trusted clients can access your database, reducing potential security risks.
-
SSL certificate: For publicly accessible databases, we strongly recommend that you enable SSL encryption to protect data in transit. This helps prevent security risks such as data interception and tampering.
-
Database backup: To ensure business continuity, back up your database regularly. Choose a backup cycle, such as daily or weekly, based on your business requirements to ensure data safety and recoverability.
-
Audit log: We strongly recommend that you enable database audit logs. This not only helps with post-incident accountability and compliance but also provides real-time security risk detection and improves the overall security of your database.
-
TDE : To ensure data security, we strongly recommend that you enable TDE to protect data at rest.
-
KMS key: In the Key Management Service console , select the region of your instance and enable the corresponding key.
If you have any questions, join the DingTalk group with the ID 58255008752 to get technical support.
FAQ
Q: Does the security baseline check affect database performance?
A: No. The check does not affect your instance. The detection process uses a lightweight collection agent, and scans are automatically delayed during peak business hours to minimize any potential impact.