Configure whitelist rules for accounts, IP addresses, and IP ranges for audit alerts and exception alerts-Data Security Center(DSC)-阿里云帮助中心

Data Security Center (DSC) provides a system whitelist feature that allows you to add trusted IP addresses and data assets (including asset types, instances, databases, tables, accounts, and operation types) to a whitelist. DSC does not generate audit alerts for risky activities from whitelisted data assets or IP addresses, which helps reduce unnecessary alerts. This topic describes how to add, edit, and delete system whitelist rules.

Prerequisites

Authorize the data assets for which you want to configure whitelist rules:

For Relational Database Service (RDS), PolarDB, PolarDB-X, OceanBase, Tablestore, AnalyticDB, and AnalyticDB, see Authorize generic databases.
For Object Storage Service (OSS), see Authorize unstructured data (OSS and SLS).
For MaxCompute, see Authorize MaxCompute.

Background information

DSC detects risky activities on authorized data assets and generates audit alerts. This feature is enabled by default and uses built-in audit alert rules for detection.

Built-in audit rule types include abnormal operation rules, data breach rules, vulnerability attack rules, SQL injection rules, and risky operation rules. You can also add and enable custom audit rules. For more information, see Configure and enable audit alert rules.

If you confirm that database activities from certain IP addresses or accounts are expected, you can add a whitelist rule. When DSC detects an activity that matches a whitelist rule, it does not generate an alert for the database or OSS operation.

When you handle an audit alert, you can choose to add the source to a whitelist. The whitelisted account or IP address is then added to the system whitelist. The corresponding whitelist rule name is in the format <Alert Time> <Audit Alert Rule Name>, for example, 2024-05-21 20:58:09 OSS rule test. For more information, see View and handle audit alerts.

Limits

Each whitelist rule has the following limits:

You can select only one asset type.
You must specify at least one account, IP address, or IP range.
You can specify a maximum of 10 IP addresses or IP ranges, and a maximum of 10 accounts.
If a rule includes multiple instances and multiple accounts, the system applies a logical OR between items of the same type and a logical AND between items of different types. For example, a rule with instance A, instance B, account A, and account B matches activities from (instance A OR instance B) AND (account A OR account B).

Effective time

After you add, edit, or delete a system whitelist rule, the new configuration takes effect within one minute.

Add a whitelist rule

To prevent DSC from generating alerts for trusted data assets, IP addresses, or IP ranges, add them to the system whitelist.

Log on to the Data Security Center console.
In the navigation pane on the left, select System Settings > Whitelist.
On the Whitelist page, click Add Entry.

In the Add Entry dialog box, configure the parameters and click OK.

A message at the top of the dialog box indicates that whitelisted items will no longer trigger alerts, but their logs can still be viewed in Log Analysis. The form also includes the SQL template field. You can select a database and click + Create Template to create a new template.

Parameter	Description
Rule name	Enter a custom name for the whitelist rule. Use an easily identifiable name. The name can be up to 100 characters long.
IP	Enter the IP addresses or IP ranges to add to the whitelist. You can enter a maximum of 10 IP addresses or IP ranges. You can separate multiple entries with a comma or a line break.
Data asset	Select an asset type, and then select the corresponding assets, such as an RDS instance, a database, a table, and an account. You can select multiple asset instances and accounts. Click the Account drop-down list and click Add custom account at the end of the list to enter one or more custom accounts.
Operation type	By default, all operation types are selected. You can select one or more operation types for the data asset based on your business requirements.

After adding the rule, you can find it in the list by searching for its asset type or rule name.

The list displays fields such as the rule name, SQL template, account, IP, and data asset. For each rule, you can click Details, Edit, or Delete.

Edit or delete a whitelist rule

To re-enable audit alert detection for a specified IP address or account, you can edit or delete the corresponding whitelist rule.

Note

You cannot change the asset type when you edit an existing whitelist rule.

Log on to the Data Security Center console.
In the navigation pane on the left, select System Settings > Whitelist.
Find the target whitelist rule and click Edit or Delete in the Actions column.

API reference

You can use the Alibaba Cloud SDK to call the following API operations and query information about data assets that are authorized to DSC. For supported languages, installation, and integration instructions, see Data Security Center SDK and Alibaba Cloud SDK.

To query the list of authorized assets, see DescribeParentInstance.
To query the list of data assets such as instances, databases, and buckets that are authorized for scanning, see DescribeDataLimits.
To query the list of instances, databases, or buckets of a specified product that are authorized for scanning, see DescribeDataLimitSet.

FAQ

Can I add custom accounts when I configure a whitelist? How many can I add?

Yes. You can add a maximum of 10 accounts to one whitelist rule.
Why can't I select databases or data tables from my authorized data assets when I configure a whitelist rule in the console?

The data identification scan for the authorized data assets has not completed. Wait for the scan task to finish. For more information, see Scan for sensitive data by using a data identification task.
Why are audit alerts still generated for a whitelisted data asset instance?

The whitelist rule is invalid if it does not specify at least one account, IP address, or IP range.