Security baseline check

更新时间:
复制 MD 格式

The Security Baseline Check feature of Database Autonomy Service (DAS) helps you quickly discover potential security configuration risks in your database instances to improve their security and reliability. This feature helps you find and remediate security risks for instances across different regions and engines. The intuitive scan results allow you to enhance your database security by improving configurations.

Background

  • The Verizon 2023 Data Breach Investigations Report indicates that approximately 50% of database breaches are related to weak passwords and credential stuffing attacks.

  • A report from the Cyberspace Administration of China reveals that in 2023, thousands of databases in China were exposed to risks from unauthorized access and weak passwords. Of the more than 8,000 instances inspected, 11.3% had these issues.

Note

A weak password poses a significantly greater risk if the database instance is exposed to the public internet.

Limitations

  • The database instance must be in one of the following regions:

    • Public cloud

      China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Heyuan), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Ulanqab), Indonesia (Jakarta), US (Virginia), US (Silicon Valley), Japan (Tokyo), Germany (Frankfurt), UK (London), Philippines (Manila), Malaysia (Kuala Lumpur), Singapore, and China (Hong Kong).

    • Finance cloud

      China (Hangzhou) Finance, China (Shanghai) Finance, China (Beijing) Finance (invitation-only preview), and China (Shenzhen) Finance.

  • Only RDS MySQL, PolarDB for MySQL, and PolarDB-X 2.0 instances are supported.

    Note

    Backup detection is not supported for PolarDB-X 2.0 instances.

Features

Detection scope

  • Database configuration: Checks password policy complexity, whether TDE is enabled, and whether the associated KMS key is available.

  • Network configuration: Checks whitelist-based access control and SSL security configurations.

  • Access control: Checks for weak passwords.

  • Storage: Checks backup settings.

    Note

    Backups are crucial for disaster recovery from events like accidental data deletion or ransomware attacks.

  • Post-incident security : Checks if audit logs are enabled to provide tracking and forensics capabilities.

Execution mechanism

Immediate check: You can manually trigger on-demand compliance checks at any time.

Check items

Check item

Check rule

Description

Weak Password

  • Danger: One or more accounts use a weak password.

  • Safety: No weak passwords were found.

Checks for accounts that use weak passwords.

Note
  • Detection model

    • Uses a dictionary of over 10,000,000 common weak passwords and incorporates newly discovered weak passwords from cloud security teams.

    • Supports rapid, batch detection for multiple password strength policies.

  • Protective measures Triggers a security alert when it detects an account with a weak password.

Whitelist

  • Danger: The whitelist is configured to allow all IP addresses (0.0.0.0/0).

  • Warning: A large public IP address range, such as a /8 CIDR block, is configured.

  • Safety: No high-risk whitelist configurations were found.

Checks if IP address whitelists comply with security best practices.

Note

A whitelist security risk exists if public access is enabled for the instance and the whitelist is configured with 0.0.0.0/0 or a large public IP address range, such as a /8 block.

SSL Certificate

  • Warning: SSL is not enabled for the instance.

  • Safety: SSL is enabled for the instance.

Checks whether SSL encryption is enabled for database connections.

Backup

  • Danger: No backup set has been created in the last 7 days.

  • Warning: The latest backup set was created 2 to 7 days ago.

  • Safety: A backup set was created within the last 24 hours.

Checks the creation time of the latest backup set, which depends on the backup policy.

Note
  • This check is not supported for PolarDB-X 2.0.

  • If an automatic backup policy is not configured for the instance, a lack of backups for 7 consecutive days is considered a danger.

Audit

  • Warning: Audit logs are not enabled.

  • Safety: Audit logs are enabled.

Checks if audit logs are enabled.

TDE

  • Warning: TDE is not enabled.

  • Safe: TDE is enabled.

Checks whether TDE is enabled.

KMS key

  • Danger: The KMS key used by the instance is unavailable.

  • Safe: The KMS key used by the instance is available.

Checks if the instance's KMS key is available.

Note

If TDE is not enabled, this check item is not applicable.

Procedure

  1. Log on to the DAS console.

  2. In the left-side navigation pane, choose Security Center > Security Inspection.

    • Initiate Inspection: Click Initiate Inspection. In the dialog box that appears, select the instances you want to inspect, click the arrow icon image to move them to the selected list, and then click OK to start the security inspection.

      Note
      • Before you can run an inspection, you must authorize Security Center on the Instances page.

      • A security inspection can take from several minutes to over half an hour, depending on the number and complexity of your instances. You do not need to wait for the task to complete. You can return to this page to view the results later.

      Only RDS MySQL, PolarDB for MySQL, and PolarDB-X instances are supported. You can select up to 30 instances per inspection.

    • Review the inspection list: The inspection results are displayed in a list, with one row for each instance.

      Note

      Results are color-coded for quick identification: red indicates danger, yellow indicates a warning, and green indicates safe.

      The list shows the status of each check item: Weak password, Whitelist, SSL certificate, Backup, Audit, TDE, and KMS key. The list also provides basic information such as the task ID, instance ID, database type, region, and inspection time.

    • View details: In the Operation column for a task, click Details to see the full report.

      Note

      In the details panel, you can click Inspect Again at the bottom to re-run the inspection for the current instance.

      The details panel includes basic information (task ID, instance name, database type, inspection time, and region) and the results for each check item: Weak password, Whitelist, Backup, Audit, SSL certificate, TDE, and KMS key. Each item is tagged with a status such as Safe, Warning, or Not Applicable. Click an item to expand it and view more information.

    • Download results: Click the download icon image in the upper-right corner of the inspection list to download the current results.

    • Subscribe to notifications: You can turn on the Subscribe switch in the upper-right corner to receive notifications.

      Note

      Once you subscribe, Alibaba Cloud sends security notifications via internal message and SMS for important events.

      • Alibaba Cloud receives or discovers new security threat intelligence.

      • Regulatory authorities such as the Cyberspace Administration of China issue new compliance requirements.

Remediation suggestions

If the inspection finds risks, use the following suggestions to remediate them:

  • Weak password: Ensure that your database passwords meet complexity standards. This is especially important for databases that are exposed to the public internet.

    Note

    If you use RDS MySQL, we recommend that you enable the validate_password plugin. After you change your password, you can use the SHOW VARIABLES LIKE 'validate_password%' command to check whether the policy is in effect.

    • Must be 8 to 32 characters in length.

    • Must contain characters from at least three of the following types: uppercase letters, lowercase letters, digits, and special characters.

    • The supported special characters are !@#$%^&*()_+-=.

    • For instructions on how to change passwords, see the following topics:

  • Whitelist: Prioritize fixing whitelist settings for databases exposed to the public internet. Remove unnecessary IP addresses to ensure that only trusted clients can access your database, reducing potential security risks.

  • SSL certificate: For publicly accessible databases, we strongly recommend that you enable SSL encryption to protect data in transit. This helps prevent security risks such as data interception and tampering.

  • Database backup: To ensure business continuity, back up your database regularly. Choose a backup cycle, such as daily or weekly, based on your business requirements to ensure data safety and recoverability.

  • Audit log: We strongly recommend that you enable database audit logs. This not only helps with post-incident accountability and compliance but also provides real-time security risk detection and improves the overall security of your database.

  • TDE : To ensure data security, we strongly recommend that you enable TDE to protect data at rest.

  • KMS key: In the Key Management Service console , select the region of your instance and enable the corresponding key.

Note

If you have any questions, join the DingTalk group with the ID 58255008752 to get technical support.

FAQ

Q: Does the security baseline check affect database performance?

A: No. The check does not affect your instance. The detection process uses a lightweight collection agent, and scans are automatically delayed during peak business hours to minimize any potential impact.