Best practices for database compliance management

更新时间:
复制 MD 格式

The database compliance management package checks RDS, Redis, MongoDB, and PolarDB instances for encryption and access control compliance to prevent data breaches. The following table lists the default rules in this package.

Rule name

Rule description

Check for subscription MongoDB cluster expiration

A subscription MongoDB cluster is considered compliant if its expiration date is more than a specified number of days from the check date. The default value is 30 days. Clusters with auto-renewal enabled are considered compliant.

Check for subscription HBase cluster expiration

A subscription HBase cluster is considered compliant if its expiration date is more than a specified number of days from the check date. The default value is 30 days.

Use enhanced whitelist mode for RDS instances

An RDS instance is considered compliant if it uses the enhanced whitelist mode.

Use Cluster Edition PolarDB instances

A PolarDB instance is considered compliant if it is a Cluster Edition or Multi-master Cluster Edition instance. Use Single Node Edition databases with caution because their fault recovery is slow.

Enable release protection for Redis instances

A Redis instance is considered compliant if release protection is enabled.

Disable high-risk commands for Redis instances

A Redis instance is considered compliant if high-risk commands are disabled.

Use Cluster Edition for HBase clusters

An HBase cluster is considered compliant if its type is Cluster Edition.

Use HBase clusters in a VPC

An HBase cluster is considered compliant if its network type is virtual private cloud (VPC). If a VPC parameter is specified, the cluster must be associated with a VPC that is specified in the parameter to be considered compliant.

Configure HBase clusters for high availability

An HBase cluster is considered compliant if it is configured for high availability (HA).

Enable deletion protection for HBase clusters

An HBase cluster is considered compliant if deletion protection is enabled.

Enable release protection for MongoDB instances

A MongoDB instance is considered compliant if release protection is enabled.

MongoDB instance is unlocked

A MongoDB instance is considered compliant if its lock status is Normal.

Enable audit logs for MongoDB clusters

A MongoDB instance is considered compliant if the audit log is enabled.

Check for subscription RDS instance expiration

Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is considered compliant if its expiration date is more than a specified number of days from the check date. The default value is 30 days. This rule does not apply to pay-as-you-go instances.

Check for subscription PolarDB cluster expiration

Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is considered compliant if its expiration date is more than a specified number of days from the check date. The default value is 30 days. Instances with auto-renewal enabled are considered compliant. This rule does not apply to pay-as-you-go instances.

Check for subscription Redis instance expiration

A subscription Redis instance is considered compliant if its expiration date is more than a specified number of days from the check date. The default value is 30 days. Instances with auto-renewal enabled are considered compliant. This rule does not apply to pay-as-you-go instances.

Enable SQL Audit for RDS instances

An RDS instance is considered compliant if SQL Audit is enabled.

Prohibit public IP addresses for RDS instances

An RDS instance is considered compliant if it does not have a public IP address. Do not enable Direct Internet Access for RDS instances in a production environment because this makes them vulnerable to cyberattacks.

Use high-availability RDS instances

An RDS instance is considered compliant if it is a High-availability Edition instance. Use Basic Edition instances with caution because they offer lower stability.

Use RDS instances in a VPC

An RDS instance is considered compliant if its network type is virtual private cloud (VPC). If a VPC parameter is specified, the instance must be in a VPC that is specified in the parameter to be considered compliant. Separate multiple parameter values with a comma (,).

Use multi-zone RDS instances

An RDS instance is considered compliant if it is a multi-zone instance.

Use SSL certificates for RDS instances

An RDS instance is considered compliant if an SSL Certificate is enabled in its data security settings.

Enable TDE for RDS instances

An RDS instance is considered compliant if transparent data encryption (TDE) is enabled in its data security settings.

Use Redis instances in a VPC

A Redis instance is considered compliant if its network type is virtual private cloud (VPC). If a VPC parameter is specified, the instance must be associated with a VPC that is specified in the parameter to be considered compliant.

Do not set the Redis instance IP whitelist to all CIDR blocks

A Redis instance is considered compliant if its IP whitelist is not set to 0.0.0.0/0.

Use Cluster Edition Redis instances

A Redis instance is considered compliant if its architecture type is Cluster Edition.

Prohibit setting the MongoDB instance IP whitelist to all CIDR blocks

A MongoDB instance is considered compliant if its IP whitelist is not set to 0.0.0.0/0.

Use MongoDB instances in a VPC

A MongoDB instance is considered compliant if its network type is virtual private cloud (VPC). If a VPC parameter is specified, the instance must be associated with a VPC that is specified in the parameter to be considered compliant.

Prohibit setting the PolarDB instance IP whitelist to all CIDR blocks

A PolarDB instance is considered compliant if its IP whitelist is not set to 0.0.0.0/0.

Use PolarDB instances in a VPC

A PolarDB instance is considered compliant if its network type is virtual private cloud (VPC). If a VPC parameter is specified, the instance must be associated with a VPC that is specified in the parameter to be considered compliant.

Ensure RDS instance SQL audit log retention period meets requirements

An RDS for MySQL instance is considered compliant if SQL Audit is enabled and the log retention period is greater than or equal to the specified value. The default value is 180 days.

Enable historical events for RDS instances

An RDS instance is considered compliant if the historical event log is enabled.

Correctly enable the whitelist for RDS instances

An RDS instance is considered compliant if a whitelist is enabled and the whitelist does not contain 0.0.0.0/0.