rds-cpu-min-count-limit

Check the minimum number of CPUs for an RDS instance.

Trigger type: configuration change

Resource: ACS::RDS::DBInstance

Parameter: cpuCount (minimum number of CPUs in an RDS instance)

Solution: when the number of CPUs of an RDS instance under your account is smaller than the threshold that you set, the rule is not compliant.

Method 1: change the RDS instance specification so that the number of CPUs of the RDS instance after the change is greater than or equal to the threshold you set. Config detects your changes within 10 minutes and automatically starts the audit.

RDS_1

Method 2: modify the threshold of rule parameters, and click re-audit. Then, refresh the page for verification.

Modify instance specifications by calling the ModifyDBInstanceSpec API.

rds-desired-instance-type

Check whether the RDS instance has the specified instance type.

Trigger type: configuration change

Resource: ACS::RDS::DBInstance

Parameter: instanceTypes (list of RDS instance types separated by commas). For example: rds.mysql.s2.large and mysql.n1.micro.1.

Troubleshooting: if the RDS instance specifications under your account are not listed in the rule parameter threshold, the rule is not compliant. The rule parameter threshold list contains the instance type of the RDS instance, which is compliant.

Method 1: Change the RDS instance type to one of the instance types listed in the rule parameter threshold. Config detects your changes within 10 minutes and automatically starts the audit.

Method 2: Edit the rule parameter threshold and add the instance type of the RDS instance to the rule parameter threshold. Edit the content and click re-audit. Then, refresh the page for verification.

Change the instance type in the RDS console: log on to the RDS console, choose more> change configuration to change the instance type.

RDS_2

Modify instance specifications by calling the ModifyDBInstanceSpec API.

rds-high-availability-category

Check whether the RDS instance has high availability.

Trigger type: configuration change

Resource: ACS:: RDS:: DBInstance

Request parameters: none

Troubleshooting: The RDS instances under your account do not have high availability, which causes the rule to be noncompliance.

Method 1: If you cannot upgrade the version of an apsaradb for RDS instance (instances other than SQL Server), you must purchase a new version. When purchasing an RDS instance, select the RDS instance series as High-availability editionSeries. Config detects your changes within 10 minutes and automatically starts the audit.

Processing of non-compliant old RDS instances: you can manually release a pay-as-you-go instance or unsubscribe from a subscription instance. You can log on Unsubscribe pageTo cancel the subscription.

After an instance is released, the instance data is immediately cleared. We recommend that you back up your data before you release an instance.

For more information about how to release an instance, see:

  1. ApsaraDB RDS for MySQL Release an RDS for MySQL instance
  2. RDS for SQL Server Release an RDS for SQL Server instance
  3. RDS for PostgreSQL Release an RDS for PostgreSQL instance
  4. RDS for PPAS Release an RDS for PPAS instance
  5. RDS for MariaDB TX Release an RDS for MariaDB instance

You can upgrade an ApsaraDB RDS for SQL Server instance from Basic Edition to High-availability Edition. During the upgrade, you can also upgrade the SQL Server version. Config detects your changes within 10 minutes and automatically starts the audit.

For more information, see Upgrade from Basic Edition to High-availability Edition.

RDS_3

Console operation: log on to the console purchase page, click Basic configuration > Series selection.

Upgrade to SQL Server: log on to the RDS console. On the basic information page, click Upgrade version.

RDS_4RDS_5

The following table lists the upgrade rules.

RDS_6

API operation: When you call the CreateDBInstance API to create an RDS instance, set the value of Category to deleteavailability (high-availability edition).

rds-instance-enabled-security-ip-list

Check whether the whitelist function is enabled for the RDS instances under your account. If it is enabled, it is considered compliance.

Trigger type: configuration change

Resource: ACS::RDS::DBInstance

Request parameters: none

Troubleshooting: if the whitelist of the RDS instances under your account is 0.0.0.0/0, this rule is not compliant. Modify the value of the RDS instance in the whitelist. The value is not 0.0.0.0/0. Config detects your changes within 10 minutes and automatically starts the audit.

Console operation: go to the RDS console, go to the RDS instance details page-data security, modify the whitelist value, and cancel the 0.0.0.0/0 setting.

RDS_7

API operation: call ModifySecurityIps to modify the values of SecurityIps in the whitelist.

rds-instance-storage-min-size-limit

Check the minimum storage space limit of the RDS instance.

Trigger type: configuration change

Resource: ACS::RDS::DBInstance

Parameter: storageSize (minimum storage space of an RDS instance)

If the storage space of an RDS instance under your account is smaller than the threshold you set, this rule will be invalid.

Method 1: change the RDS instance specification so that the storage capacity of the RDS instance after the change is greater than or equal to the threshold value you set. Config detects your changes within 10 minutes and automatically starts the audit.

RDS_8RDS_9

Method 2: modify the threshold of rule parameters, and click re-audit. Then, refresh the page for verification.

Modify instance specifications by calling the ModifyDBInstanceSpec API.

rds-instances-in-vpc

Check whether your RDS instance belongs to a Virtual Private Cloud (VPC). You can also specify the ID of the VPC to be associated with your instance. The error message returned when the specified instance belongs to the specified vpc. Example

Trigger type: configuration change

Resource: ACS::RDS::DBInstance

Request parameters:

vpcIds

The ID of the VPC that contains these instances. Separate multiple VPC IDs with commas (,), for example, vpc-25vk5xwn8, vpc-6wesmaymqkgiuru5xmkvx, vpc-8vbc16loavvujlzli1yc8.

Troubleshooting: if the VpcId bound to the RDS instance under your account is not listed in the rule parameter threshold, the rule is not compliant.

Method 1: create a new RDS instance and bind the instance to one of the VpcId listed in the rule parameter threshold. Config detects your changes within 10 minutes and automatically starts the audit.

When purchasing RDS, select VPC in network and security group-VPC.

Method 2: Edit the rule parameter threshold and add the VpcId bound to the RDS instance to the rule parameter threshold. Edit the content and click re-audit. Then, refresh the page for verification.

rds-memory-min-size-limit

This metric checks the minimum memory capacity of an RDS instance.

Trigger type: configuration change

Resource: ACS:: RDS:: DBInstance

Parameter: memorySize (minimum capacity of rds instance content)

Solution: when the memory capacity of your RDS instance is smaller than the threshold you set, the rule is not compliant.

Method 1: change the RDS instance specification so that the memory capacity of the RDS instance after the change is greater than or equal to the threshold you set. Config detects your changes within 10 minutes and automatically starts the audit.

RDS_11

Method 2: modify the threshold of rule parameters, and click re-audit. Then, refresh the page for verification.

To change the instance type, call ModifyDBInstanceSpec to change the instance type and change the value of DBInstanceClass.

rds-multi-az-support

Check whether your RDS instance supports multiple zones.

Resource: ACS::RDS::DBInstance

Trigger type: configuration change

Request parameters: none

Troubleshooting: if the RDS instances under your account do not support multiple zones, this rule is not compliant.

Method 1: You can migrate MySQL, SQL Server, and PPAS instances across zones. After the RDS instance zone is migrated, Config detects your changes within 10 minutes and automatically starts the audit.

For more information about the risks of zone migration and the procedure, see:

  1. ApsaraDB RDS for MySQL: Migrate an RDS for MySQL instance across zones in the same region
  2. RDS for SQL Server: Migrate an RDS for SQL Server instance across zones in the same region
  3. RDS for PPAS: Migrate an RDS for PPAS instance across zones in the same region

Method 2: If the RDS instance does not support zone migration, you need to purchase an RDS instance again. When purchasing an RDS instance, select the RDS zone as the multi-zone. Config detects your changes within 10 minutes and automatically starts the audit.

Processing of non-compliant old RDS instances: you can manually release a pay-as-you-go instance or unsubscribe from a subscription instance. You can log on Unsubscribe pageTo cancel the subscription.

After an instance is released, the instance data is immediately cleared. We recommend that you back up your data before you release an instance.

For more information about how to release an instance, see:

  1. ApsaraDB RDS for MySQL: Release an RDS for MySQL instance
  2. RDS for SQL Server: Release an RDS for SQL Server instance
  3. RDS for PostgreSQL: Release an RDS for PostgreSQL instance
  4. RDS for PPAS: Release an RDS for PPAS instance
  5. RDS for MariaDB TX: Release an RDS for MariaDB instance

Console operation: console purchase page-basic configuration-zone select multi-zone.

RDS_12

API operation:

When you call the CreateDBInstance API to create an RDS instance, enter the value of ZoneId in the multi-zone format.

You can call this operation to migrate an instance from one zone to another.

rds-public-access-check

Checks whether the RDS instance allows public network access.

Trigger type: configuration change

Resource: ACS::RDS::DBInstance

Request parameters: none

Troubleshooting: if the whitelist of the RDS instances under your account is 0.0.0.0/0, this rule is not compliant. Modify the value of the RDS instance in the whitelist. The value is not 0.0.0.0/0. Config detects your changes within 10 minutes and automatically starts the audit.

Console operation: go to the RDS console, go to the RDS instance details page-data security, modify the whitelist value, and cancel the 0.0.0.0/0 setting.

RDS_13

API operation: call ModifySecurityIps to modify the values of SecurityIps in the whitelist.