The database compliance management package checks RDS, Redis, MongoDB, and PolarDB instances for encryption and access control compliance to prevent data breaches. The following table lists the default rules in this package.
|
Rule name |
Rule description |
|
A subscription MongoDB cluster is considered compliant if its expiration date is more than a specified number of days from the check date. The default value is 30 days. Clusters with auto-renewal enabled are considered compliant. |
|
|
A subscription HBase cluster is considered compliant if its expiration date is more than a specified number of days from the check date. The default value is 30 days. |
|
|
An RDS instance is considered compliant if it uses the enhanced whitelist mode. |
|
|
A PolarDB instance is considered compliant if it is a Cluster Edition or Multi-master Cluster Edition instance. Use Single Node Edition databases with caution because their fault recovery is slow. |
|
|
A Redis instance is considered compliant if release protection is enabled. |
|
|
A Redis instance is considered compliant if high-risk commands are disabled. |
|
|
An HBase cluster is considered compliant if its type is Cluster Edition. |
|
|
An HBase cluster is considered compliant if its network type is virtual private cloud (VPC). If a VPC parameter is specified, the cluster must be associated with a VPC that is specified in the parameter to be considered compliant. |
|
|
An HBase cluster is considered compliant if it is configured for high availability (HA). |
|
|
An HBase cluster is considered compliant if deletion protection is enabled. |
|
|
A MongoDB instance is considered compliant if release protection is enabled. |
|
|
A MongoDB instance is considered compliant if its lock status is Normal. |
|
|
A MongoDB instance is considered compliant if the audit log is enabled. |
|
|
Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is considered compliant if its expiration date is more than a specified number of days from the check date. The default value is 30 days. This rule does not apply to pay-as-you-go instances. |
|
|
Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is considered compliant if its expiration date is more than a specified number of days from the check date. The default value is 30 days. Instances with auto-renewal enabled are considered compliant. This rule does not apply to pay-as-you-go instances. |
|
|
A subscription Redis instance is considered compliant if its expiration date is more than a specified number of days from the check date. The default value is 30 days. Instances with auto-renewal enabled are considered compliant. This rule does not apply to pay-as-you-go instances. |
|
|
An RDS instance is considered compliant if SQL Audit is enabled. |
|
|
An RDS instance is considered compliant if it does not have a public IP address. Do not enable Direct Internet Access for RDS instances in a production environment because this makes them vulnerable to cyberattacks. |
|
|
An RDS instance is considered compliant if it is a High-availability Edition instance. Use Basic Edition instances with caution because they offer lower stability. |
|
|
An RDS instance is considered compliant if its network type is virtual private cloud (VPC). If a VPC parameter is specified, the instance must be in a VPC that is specified in the parameter to be considered compliant. Separate multiple parameter values with a comma (,). |
|
|
An RDS instance is considered compliant if it is a multi-zone instance. |
|
|
An RDS instance is considered compliant if an SSL Certificate is enabled in its data security settings. |
|
|
An RDS instance is considered compliant if transparent data encryption (TDE) is enabled in its data security settings. |
|
|
A Redis instance is considered compliant if its network type is virtual private cloud (VPC). If a VPC parameter is specified, the instance must be associated with a VPC that is specified in the parameter to be considered compliant. |
|
|
Do not set the Redis instance IP whitelist to all CIDR blocks |
A Redis instance is considered compliant if its IP whitelist is not set to 0.0.0.0/0. |
|
A Redis instance is considered compliant if its architecture type is Cluster Edition. |
|
|
Prohibit setting the MongoDB instance IP whitelist to all CIDR blocks |
A MongoDB instance is considered compliant if its IP whitelist is not set to 0.0.0.0/0. |
|
A MongoDB instance is considered compliant if its network type is virtual private cloud (VPC). If a VPC parameter is specified, the instance must be associated with a VPC that is specified in the parameter to be considered compliant. |
|
|
Prohibit setting the PolarDB instance IP whitelist to all CIDR blocks |
A PolarDB instance is considered compliant if its IP whitelist is not set to 0.0.0.0/0. |
|
A PolarDB instance is considered compliant if its network type is virtual private cloud (VPC). If a VPC parameter is specified, the instance must be associated with a VPC that is specified in the parameter to be considered compliant. |
|
|
Ensure RDS instance SQL audit log retention period meets requirements |
An RDS for MySQL instance is considered compliant if SQL Audit is enabled and the log retention period is greater than or equal to the specified value. The default value is 180 days. |
|
An RDS instance is considered compliant if the historical event log is enabled. |
|
|
An RDS instance is considered compliant if a whitelist is enabled and the whitelist does not contain 0.0.0.0/0. |