Data Management (DMS) allows you to generate risk audit reports for database instances. Risk audit reports collect and assess various risks that are involved in the operations and maintenance (O&M) of instances. Risk audit reports also provide optimization suggestions for you to improve the security and stability of your instances.

Overview

A risk audit report is generated based on a database instance in DMS. The report diagnoses and analyzes the risks that are involved in the O&M of the instance or a specific database in the instance. The report is only for your reference and does not affect the database instance.

The following table describes the risk audit items that are contained in risk audit reports.

Risk audit item Description Supported database engines
SQL Review For this item, DMS checks whether the SQL statements that are executed in the DMS console to manage the current database instance conform to the R&D specifications. By default, DMS checks the SQL statements that are executed in the previous week. The statements include those that are executed on the SQLConsole tab and those that are executed after tickets are submitted, such as Normal Data Modify and Lockless change tickets.

For example, DMS may find the following misoperation: A whole table was accidentally updated because the WHERE clause was missing in an UPDATE statement.

Note This audit item depends on optimization suggestions for SQL review. For information about SQL specifications, see SQL review optimization.
  • MySQL databases

    Self-managed MySQL databases, ApsaraDB RDS for MySQL databases, PolarDB for MySQL databases, PolarDB-X databases, and AnalyticDB for MySQL databases

Metadata For this item, DMS assesses the risks of all the schemas in the current database instance.

For example, DMS may identify the following risk: An auto-increment primary key of the INT data type runs out of valid values.

Note This audit item depends on optimization suggestions for SQL review. For information about SQL specifications, see SQL review optimization.
  • MySQL databases

    Self-managed MySQL databases, ApsaraDB RDS for MySQL databases, PolarDB for MySQL databases, PolarDB-X databases, and AnalyticDB for MySQL databases

Sensitive Data For this item, DMS checks whether the current database instance contains sensitive fields.

For example, if the instance contains sensitive fields, such as mobile numbers, ID card numbers, or passwords, DMS checks whether these fields are prone to sensitive data breaches.

  • MySQL databases

    Self-managed MySQL databases, ApsaraDB RDS for MySQL databases, PolarDB for MySQL databases, PolarDB-X databases, and AnalyticDB for MySQL databases

  • SQL Server databases

    Self-managed SQL Server databases and ApsaraDB RDS for SQL Server databases

  • PostgreSQL databases

    Self-managed PostgreSQL databases and PolarDB for PostgreSQL databases

  • MaxCompute

Limits

  • Only DMS administrators, security administrators, database administrators (DBAs), instance owners, and database owners can generate risk audit reports.
  • You can keep only a limited number of risk audit reports for an instance. The number depends on the control mode of the instance.
    • For an instance that is managed in Flexible Management mode, you can keep up to three reports. You cannot view the details of the reports.
    • For an instance that is managed in Stable Change mode, you can keep up to 20 reports.
    • For an instance that is managed in Security Collaboration mode, you can keep up to 50 reports.

Procedure

  1. Log on to the DMS console.
  2. In the left-side instance list of the DMS console, right-click the instance for which you want to generate a risk audit report and choose Audit > Risk Audit.
    Note You can use one of the following methods to go to the Risk Audit tab of a database:
    • In the left-side instance list of the DMS console, click the instance where the database resides, right-click the database, and then choose Audit > Risk Audit.
    • On the SQLConsole tab of the database, move the pointer over the Operation audit icon icon and select Risk Audit.
  3. On the Risk Audit tab, select a database for which you want to generate a risk audit report from the Database drop-down list.
    Note If you do not select a specific database, a risk audit report is generated based on all the databases in the current instance.
  4. Click Real-time Diagnostics.
    Note By default, DMS does not automatically diagnose an instance. If this is the first time for the instance to be diagnosed, you can click Diagnose.
  5. In the Real-time Diagnostics dialog box, select the risk audit items as needed and click Diagnose.

    Wait until the Status column of the report that is being generated displays Completed.

  6. Click Details in the Operation column of the newly generated report.
  7. On the Report Details tab, you can find a risk audit item and click Details in the Operation column to view the details.
    Risk audit item Description
    SQL Review
    The SQL Review details tab displays the risks of the latest SQL statements that are executed in the current database and optimization suggestions. You can configure rules to avoid some medium- and high-risk SQL statements. For more information, see SQL review optimization.
    Note For the SQL Review item and the Metadata item, high-level risks, medium-level risks, and low-level risks correspond to the following behavioral actions in order: Must Improve, Potential Issue, and Suggest Improve. For more information, see SQL review optimization.
    Metadata The Metadata details tab displays the risks of the schemas in the current database and optimization suggestions. You can optimize the schemas based on the suggestions. You can also find a schema and click Ignore in the Operation column to ignore the risk.
    Sensitive Data The Sensitive Data details tab displays the risks of sensitive data breaches in the current database and optimization suggestions. You can find a field and click Set as Sensitive Data or Set as Confidential Data in the Operation column to adjust the security level of the field. You can also click Ignore to ignore the risk.