All Products
Search
Document Center

Simple Log Service:Operation compliance of RDS instances

Last Updated:Aug 25, 2023

This topic describes the alert rules for the operation compliance of RDS instances. You can configure and enable alert rules in the Simple Log Service console to monitor the operation compliance of RDS instances. If an alert is triggered, you can identify the error cause and fix the error at the earliest opportunity.

Alert rules

RDS Instance SQL Insight Disabled Alert

ID

sls_app_audit_cis_at_rds_sql_audit

Name

RDS Instance SQL Insight Disabled Alert

Version

1

Type

Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance

Usage

Monitors whether the SQL Explorer feature is disabled for an RDS instance. The SQL Explorer feature must be enabled for RDS instances. Otherwise, an alert is triggered.

Check Frequency

Fixed interval: 1 minute.

Time Range

The data of the last 2 minutes is checked.

Parameter Settings

Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8.

External Configurations

You can specify a whitelist of accounts that can disable the SQL Explorer feature for RDS instances. If the SQL Explorer feature is disabled by an account on the whitelist, no alert is triggered.

Solution

Do not disable the SQL Explorer feature for an RDS instance by using an account that is not included in the whitelist.

Prerequisites

The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose Log Audit Service > Access to Cloud Products > Global Configurations.

RDS Instance Access Whitelist Abnormal Setting Alert

ID

sls_app_audit_cis_at_rds_access_whitelist

Name

RDS Instance Access Whitelist Abnormal Setting Alert

Version

1

Type

Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance

Usage

Monitors whether the whitelist of IP addresses to access RDS instances is invalid. The IP address on the whitelist to access an RDS instance cannot be set to 0.0.0.0. Otherwise, an alert is triggered.

Check Frequency

Fixed interval: 1 minute.

Time Range

The data of the last 2 minutes is checked.

Parameter Settings

Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8.

External Configurations

You can specify a whitelist of accounts. If an RDS instance belongs to an account on the whitelist and the whitelist of IP addresses to access the instance is set to 0.0.0.0, no alert is triggered.

Solution

Allow only the RDS instance that belongs to an account on the whitelist to set the whitelist IP address to 0.0.0.0

Prerequisites

The Operations Log switch is turned on. To turn on the switch, go to the Log Audit Service console, and then choose Log Audit Service > Access to Cloud Products > Global Configurations.

Newly Created RDS Instance's SSL Not Enabled AlertNot CreatedEnable Settings

ID

sls_app_audit_cis_at_rds_ssl_off

Name

Newly Created RDS Instance's SSL Not Enabled AlertNot CreatedEnable Settings

Version

1

Type

Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance

Usage

Monitors whether the SSL feature is disabled for newly created RDS instances. We recommend that you enable the SSL feature within 1 hour after you create an RDS instance. Otherwise, an alert is triggered.

Check Frequency

Fixed interval: 1 minute.

Time Range

The data of the last hour is checked.

Parameter Settings

Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8.

External Configurations

You can specify a whitelist of accounts. If an RDS instance belongs to an account on the whitelist and the SSL feature is not enabled for the instance, no alert is triggered.

Solution

If an RDS instance does not belong to an account in the whitelist, we recommend that you enable the SSL feature within 1 hour after you create the instance.

Prerequisites

The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose Log Audit Service > Access to Cloud Products > Global Configurations.

Newly Created RDS Instance's TDE Not Enabled Alert

ID

sls_app_audit_cis_at_rds_tde_off

Name

Newly Created RDS Instance's TDE Not Enabled Alert

Version

1

Type

Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance

Usage

Monitor whether TDE is disabled for a newly created RDS instance. We recommend that you enable TDE within 1 hour after you create an RDS instance. Otherwise, an alert is triggered.

Check Frequency

Fixed interval: 1 minute.

Time Range

The data of the last hour is checked.

Parameter Settings

Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: Medium-6.

External Configurations

You can specify a whitelist of accounts. If an RDS instance belongs to an account on the whitelist and TDE is not enabled for the instance, no alert is triggered.

Solution

If an RDS instance does not belong to an account on the whitelist, we recommend that you enable TDE within 1 hour after you create the RDS instance.

Prerequisites

The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose Log Audit Service > Access to Cloud Products > Global Configurations.

RDS Instance SSL Disabled Alert

ID

sls_app_audit_cis_at_rds_ssl_config

Name

RDS Instance SSL Disabled Alert

Version

1

Type

Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance

Usage

Monitors if the SSL feature is disabled for RDS instances. We recommend that you do not disable the SSL feature for RDS instances. Otherwise, an alert is triggered.

Check Frequency

Fixed interval: 1 minute.

Time Range

The data of the last 2 minutes is checked.

Parameter Settings

Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8.

External Configurations

You can specify a whitelist of accounts. If an RDS instance belongs to an account on the whitelist and the SSL feature is disabled for the instance, no alert is triggered.

Solution

Do not disable the SSL feature for an RDS instance that is not included in the whitelist.

Prerequisites

The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose Log Audit Service > Access to Cloud Products > Global Configurations.

RDS Instance Configuration Change Alert

ID

sls_app_audit_cis_at_rds_conf_change

Name

RDS Instance Configuration Change Alert

Version

1

Type

Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance

Usage

Monitors whether the configurations of RDS instances are changed. If the configurations of an RDS instance are changed, an alert is triggered.

Check Frequency

Fixed interval: 1 minute.

Time Range

The data of the last 2 minutes is checked.

Parameter Settings

Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: Low-4.

External Configurations

You can specify a whitelist of accounts. If an RDS instance belongs to an account on the whitelist and the configurations of the instance are changed, no alert is triggered.

Solution

Check whether an exception occurs on the RDS instance that triggered the alert.

Prerequisites

The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose Log Audit Service > Access to Cloud Products > Global Configurations.