All Products
Search
Document Center

ApsaraDB RDS:Best practices for data security

Last Updated:Oct 25, 2023

ApsaraDB RDS provides basic protection for critical data. This topic describes how to create and configure ApsaraDB RDS instances to improve data security.

Instance disaster recovery

  • RDS Enterprise Edition (formerly known as Finance Edition)

    To further meet the requirements for high reliability and data security in various business scenarios, ApsaraDB RDS provides RDS Enterprise Edition. In RDS Enterprise Edition, your database system consists of a primary RDS instance and two secondary RDS instances. Data is replicated between these instances to ensure strong data consistency and financial-grade reliability.

    You can select RDS Enterprise Edition when you create an RDS instance. For more information, see Create an ApsaraDB RDS for MySQL instance.

  • Multi-zone deployment

    Each region consists of multiple zones. The network latency between the zones in the same region is less than 3 ms. A fault in one zone does not affect the services in the other zones. If you select the multi-zone deployment method, the physical hosts on which your database system is deployed can reside in different zones. This way, if one zone fails, your workloads can be switched over to another zone within a short period of time. The entire switchover process is transparent and does not require changes to your application code.

    You can select the multi-zone deployment method when you create an RDS instance. For more information, see Create an ApsaraDB RDS for MySQL instance.

    If you select the single-zone deployment method, you can migrate your RDS instance to multiple zones. You can do this only when the region where your RDS instance resides can provide multiple available zones. For more information, see Migrate an ApsaraDB RDS for MySQL instance across zones in the same region.

  • Cross-region disaster recovery RDS instances

    ApsaraDB RDS uses Data Transmission Service (DTS) to synchronize data in real time between a primary RDS instance and its disaster recovery RDS instance that resides in a different region than the region of the primary RDS instance. Both the primary RDS instance and the disaster recovery RDS instance are deployed based on a primary/secondary high-availability architecture. If the primary RDS instance and the secondary RDS instance are inaccessible due to unexpected natural disasters, you can switch your workloads over to the disaster recovery RDS instance and then update the endpoint information on your application to minimize downtime.

    For more information, see Create a disaster recovery ApsaraDB RDS for MySQL instance.

  • Cross-region backups

    ApsaraDB RDS supports cross-region backups. After you enable cross-region backups, the backup files of your RDS instance are automatically replicated to an Object Storage Service (OSS) bucket in a different region. The cross-region data backup files can be used for monitoring and disaster recovery. Cross-region backup files are independent of RDS instances. After your RDS instance is released, its cross-region backup files are still retained based on the cross-region backup retention period that you specify.

    For more information, see Use the cross-region backup feature.

Access control

  • RAM user authorization

    Resource Access Management (RAM) allows you to create and manage RAM users and control the permissions of RAM users on the resources within your Alibaba Cloud account. If multiple users in your enterprise need to use the same resources at the same time, we recommend that you follow the principle of least privilege (PoLP) when you assign permissions to the users. This prevents the users from sharing the same key and reduces information security risks for your enterprise.

    For more information, see Use RAM for resource authorization.

  • Prohibition of creating RDS instances for which disk encryption is not enabled

    You can configure a RAM policy for a RAM user to prevent the RAM user from creating RDS instances for which disk encryption is not enabled.

    For more information, see Use RAM policies to manage the permissions of RAM users on ApsaraDB RDS instances.

  • Database account authorization

    ApsaraDB RDS allows you to grant permissions to database accounts based on your business requirements in the production environment.

    You can create an account and grant the permissions on specific databases to the account in the ApsaraDB RDS console. For more information, see Create accounts and databases.

    If you want to use an account to manage a specific table in a database, you can execute an SQL statement to grant the permissions on the table to the account. For more information, see Authorize accounts to manage tables, views, and fields.

Network isolation

  • VPC

    ApsaraDB RDS supports multiple network types. We recommend that you use the VPC network type.

    A virtual private cloud (VPC) is an isolated network that provides higher security and higher performance than the classic network. Before you can create an RDS instance in a VPC, you must create a VPC. For more information, see Default VPC and default vSwitch.

    If your RDS instance resides in the classic network, you can migrate your RDS instance to a VPC. For more information, see Change the network type of an ApsaraDB RDS for MySQL instance. If your RDS instance resides in a VPC, no additional configurations are required.

  • IP address whitelist

    After you create an RDS instance, you must configure IP address whitelists for the RDS instance to allow access from external devices.

    For more information, see Use a database client or the CLI to connect to an ApsaraDB RDS for MySQL instance.

Log audit

  • SQL Explorer

    ApsaraDB RDS provides the SQL Explorer feature. You can use this feature to perform security audits and performance diagnostics on your RDS instance.

    For more information, see Use the SQL Explorer feature on an ApsaraDB RDS for MySQL instance.

  • log management

    ApsaraDB RDS provides the log management feature. You can use this feature to view the error logs, slow query log details, slow query log summary, and primary/secondary switchover logs of your RDS instance. These logs help you troubleshoot issues.

    For more information, see View error logs and slow logs.

  • Event history

    ApsaraDB RDS provides the event history feature. You can use this feature to view the O&M events that are performed by users and Alibaba Cloud on your RDS instance. These events include instance creation and parameter reconfiguration.

    For more information, see View the event history of an ApsaraDB RDS instance.

Data encryption

  • SSL encryption

    When you connect to your RDS instance over the Internet, you can enable SSL encryption and install SSL CA certificates on your application. SSL encrypts the network connections at the transport layer between your RDS instance and your application. This enhances the security and integrity of data in transit but increases the response time.

    For more information, see Configure the SSL encryption feature.

  • TDE

    You can use Transparent Data Encryption (TDE) to perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to the disk and is decrypted when it is read from the disk to the memory. After you enable TDE for your RDS instance, the size of data files in your RDS instance does not increase. You can use TDE without the need to modify the configurations of your application.

    For more information, see Configure TDE.