Sensitive Data Discovery and Protection (SDDP) must be authorized to access your data in MaxCompute, Relational Database Service (RDS), Object Storage Service (OSS), or user-created databases hosted on Elastic Compute Service (ECS) instances before it can detect sensitive data in the services.

Authorize SDDP to access one or more OSS buckets

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Security Configuration > Authorization Configuration.
  3. On the Asset Authorization and Status page that appears, click Configure Asset Authorization.Configure Asset Authorization dialog box
  4. In the Configure Asset Authorization dialog box, click the OSS bucket Access Authorization tab and authorize SDDP to access your OSS buckets in one of the following ways:OSS bucket Access Authorization tab
    • Click One-click batch authorization to authorize SDDP to access all OSS buckets in the OSS bucket list.
    • Select one or more OSS buckets and click Batch authorization at the bottom of the bucket list to authorize SDDP to access the selected OSS buckets. If the SDDP has been authorized to access the selected OSS buckets, clicking this button cancels the authorization.
    • Find the target OSS bucket and turn on or off the switch in the Enable authorization column to authorize SDDP to access the OSS bucket or cancel the authorization.
    In the Configure Asset Authorization dialog box, you can also perform the following operations on OSS buckets:
    • Enable or disable the audit feature for multiple OSS buckets at a time
      Select one or more OSS buckets and click Batch audit at the bottom of the bucket list to enable or disable the audit feature for these OSS buckets at a time.Enable or disable the audit feature for multiple OSS buckets at a time
    • Set the log retention period for multiple OSS buckets at a time
      Select one or more OSS buckets and click Batch setting log storage time at the bottom of the bucket list to set the log retention period for these OSS buckets at a time. You can set the log retention period to 30, 90, 180, or 365 days.Log retention period
  5. Click Complete Authorization.
    After the authorization is completed, the OSS buckets appear in the list of authorized assets in the SDDP console. SDDP scans data in the OSS buckets for sensitive data.

    In the list of authorized OSS buckets, you can rescan an OSS bucket, edit an OSS bucket, or cancel the authorization for an OSS bucket. After you click Rescan in the Actions column for an OSS bucket, SDDP scans the OSS bucket again for sensitive data. After you click Edit in the Actions column for an OSS bucket, the Edit Connection Authorization dialog box appears. In this dialog box, you can modify the authorization configuration of the OSS bucket. After you cancel the authorization for an OSS bucket, SDDP no longer scans data in the OSS bucket.

    Note SDDP only scans data in authorized OSS buckets and analyzes risks of sensitive data detected in these OSS buckets.
    List of authorized OSS buckets

Authorize SDDP to access an RDS database

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Security Configuration > Authorization Configuration.
  3. On the Asset Authorization and Status page that appears, click Configure Asset Authorization.
  4. In the Configure Asset Authorization dialog box, click the RDS Database Access Authorization tab and set authorization parameters, as described in the following table.
    RDS Database Access Authorization tab
    Parameter Description
    Please select your region The region of the RDS database that you want to authorize SDDP to access.
    Database type The type of the RDS database that you want to authorize SDDP to access. Valid values: MySQL and SQL Server.
    Select the database instance and the corresponding database that needs to be authorized The names of the RDS instance and RDS database that you want to authorize SDDP to access.
    Please enter your username The username and password of a valid user of the RDS database.
    Please enter your password
    Data Audit Optional. Specifies whether to enable the audit feature for the RDS database. You can turn on Data Audit to collect audit logs for the RDS database. After you enable the audit feature, you must set the retention period of audit logs, which can be 30, 90, 180, or 365 days. For more information about the billing of the audit feature, see Pay-as-you-go.

    SDDP allows you to collect audit logs that cover the generation, update, and use of your data assets. The log information includes the audit rule that is hit for an asset, the type of the asset, the type of the operation that hits the rule, and the operator account.

    Note After you enable the audit feature for the RDS database, SQL Explorer is automatically enabled, which incurs corresponding fees. For more information, see SQL Explorer. You are charged an hourly fee of USD 0.0018 per GB for using SQL Explorer of the non-trial edition. The fee is listed in the bill of your RDS service. For more information about how to view the fee, see View spending details.
  5. Click Complete Authorization.
    Note If the authorization fails, check whether the parameters about the RDS database are correctly set.
    After the authorization is completed, the RDS database appears in the list of authorized assets in the SDDP console. SDDP scans data in the RDS database for sensitive data.
    In the list of authorized RDS databases, you can edit an RDS database or cancel the authorization for an RDS database. When editing an RDS database, you can modify only the username and password for accessing the RDS database. After you cancel the authorization for an RDS database, SDDP no longer scans data in the RDS database.List of authorized RDS databases

Authorize SDDP to access a MaxCompute project

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Security Configuration > Authorization Configuration.
  3. On the Asset Authorization and Status page that appears, click Configure Asset Authorization.
  4. In the Configure Asset Authorization dialog box, click the MaxCompute Project Access Authorization tab and set authorization parameters, as described in the following table.
    MaxCompute Project Access Authorization tab
    Parameter Description
    Please select your region The region of the MaxCompute project that you want to authorize SDDP to access.
    Project Name The name of the MaxCompute project that you want to authorize SDDP to access.
    Note You must enter the exact name of the MaxCompute project.
  5. Run the following commands on the MaxCompute client to add the SDDP account yundun_sddp to the MaxCompute project. SDDP uses this account to access the MaxCompute project.
    add user aliyun$yundun_sddp;
    
    grant admin to aliyun$yundun_sddp;
  6. Click Complete Authorization.
    Note If the authorization fails, check whether the parameters about the MaxCompute project are correctly set and whether the SDDP account is successfully added to the MaxCompute project.
    After the authorization is completed, the MaxCompute project appears in the list of authorized assets in the SDDP console. SDDP scans data in the MaxCompute project for sensitive data.
    In the list of authorized MaxCompute projects, you can cancel the authorization for a MaxCompute project. After you cancel the authorization for a MaxCompute project, SDDP no longer scans data in the MaxCompute project.List of authorized MaxCompute projects

Authorize SDDP to access a user-created database hosted on an ECS instance

A database hosted on an ECS instance must meet the following requirements before it can be scanned by SDDP:
  • The ECS instance resides in a Virtual Private Cloud (VPC).
  • The database is a MySQL or SQL Server database.
  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Security Configuration > Authorization Configuration.
  3. On the Asset Authorization and Status page that appears, click Configure Asset Authorization.
  4. In the Configure Asset Authorization dialog box, click the ECS self-built database tab and set authorization parameters, as described in the following table.ECS self-built database tab
    Parameter Description
    Database type The type of the database that you want to authorize SDDP to access. Valid values: MySQL and SQL Server.
    Region The region of the database that you want to authorize SDDP to access.
    ECS instance ID/Port The ID and port number of the ECS instance where the database is hosted.
    Database name The name of the database that you want to authorize SDDP to access.
    Note If you also want to authorize SDDP to access other user-created databases hosted on the ECS instance, click + Add Database on the right to add the databases.
    User name The username and password of a valid user of the database.
    Password
  5. Click Complete Authorization.
    After the authorization is completed, the database hosted on the ECS instance appears in the list of authorized assets in the SDDP console. SDDP scans data in the database for sensitive data.
    In the list of authorized user-created databases, you can cancel the authorization for a database. After you cancel the authorization for a database, SDDP no longer scans data in the database.List of authorized databases

Troubleshoot an authorization failure

An authorization failure may occur when you authorize SDDP to access data in OSS, RDS, MaxCompute, or a user-created database hosted on an ECS instance. In this case, you can troubleshoot the authorization failure based on the following possible causes:
  • Possible causes of an authorization failure for RDS
    • The username or password for accessing the RDS database is incorrect.
    • The IP address of the SDDP server is deleted from the whitelist in the RDS console.
    • The target instance that the SDDP needs to access is located in the classic network, but the public endpoint of the instance is inaccessible due to access control.
  • Possible causes of an authorization failure for MaxCompute
    • The name of the MaxCompute project is incorrect.
    • The SDDP account fails to be added to the MaxCompute project.