Evaluates whether a dynamic ApsaraDB RDS secret exists for each ApsaraDB RDS instance. If a secret exists, the resource is compliant.
Scenarios
Use this rule to enforce dynamic ApsaraDB RDS secrets with periodic auto-rotation, reducing the risk of credential leaks.
Risk level
Default risk level: medium.
You can change the risk level based on your business requirements when you apply this rule.
Compliance evaluation logic
-
If a dynamic ApsaraDB RDS secret exists for an ApsaraDB RDS instance, the evaluation result is Compliant.
-
If no dynamic ApsaraDB RDS secret exists for an ApsaraDB RDS instance, the evaluation result is Incompliant. For information about how to fix this, see Incompliance remediation.
Rule details
|
Item |
Description |
|
Rule name |
rds-account-managed-by-kms |
|
Rule identifier |
rds-account-managed-by-kms |
|
Tag |
RDS |
|
Automatic remediation |
Not supported |
|
Trigger type |
Periodic execution |
|
Evaluation frequency |
Interval of 24 hours |
|
Supported resource type |
ApsaraDB RDS instance |
|
Input parameter |
None. |
Incompliance remediation
Create a dynamic ApsaraDB RDS secret for the ApsaraDB RDS instance. For more information, see Manage dynamic ApsaraDB RDS secrets.