Data Management (DMS) provides the data security protection feature to protect data security when programs access databases. This feature allows you to manage data security, enable access control, de-identify data, and audit operations for the databases of your enterprise in a more comprehensive manner. The data security protection feature generates proxy endpoints for a database instance. Then, programs can use the proxy endpoints to access databases in the instance in a secure manner over the MySQL or HTTPS protocol. To enable the data security protection feature for a database instance, you must be a DMS administrator, a database administrator (DBA), or the owner of the instance. This topic describes how to enable the data security protection feature for a database instance.

Prerequisites

  • The database instance uses MySQL or MariaDB as the database engine. For example, the instance contains ApsaraDB RDS for MySQL, PolarDB for MySQL, PolarDB-X, or AnalyticDB for MySQL databases. The instance can also contain self-managed MySQL or MariaDB databases, or MySQL or MariaDB databases in a third-party cloud.
    Note To view the database engine that a database instance uses, move the pointer over the instance name in the left-side navigation pane of the DMS console.
  • The database instance resides in the China (Hangzhou) or China (Beijing) region.
    Note To view the region where a database instance resides, move the pointer over the instance name in the left-side navigation pane of the DMS console.

    If you want to enable the data security protection feature for a database instance that resides in other regions, submit a ticket or contact Alibaba Cloud customer service.

  • You are a DMS administrator, a DBA, or the owner of the database instance.

Background information

DMS has been devoted to ensuring secure access to databases in the DMS console. The data security protection feature of DMS is developed to deliver the same security protection capabilities for program-based access to databases as those DMS delivers for console-based access to databases. This feature reuses multiple DMS features, such as security rules, data permissions, and sensitive fields. You can use this feature to manage data security, enable access control, de-identify data, and audit operations for the databases of your enterprise in a more comprehensive manner. The data security protection feature generates proxy endpoints for a database instance. Then, programs can use the proxy endpoints to access databases in the instance in a secure manner over the MySQL or HTTPS protocol.

Data security protection

Enable the data security protection feature

  1. Log on to the DMS console.
  2. On the Instance List tab, find the database instance for which you want to enable the data security protection feature. Move the pointer over More in the Actions column and select Data security protection.
  3. On the Data security protection tab, click Enable data security protection.
  4. In the Enable data security protection dialog box, enter the database account and password.
    The data security protection feature is enabled for the database instance. The data security protection feature is enabled

Related operations

After the data security protection feature is enabled, you can perform the following operations on the database instance as a DMS administrator, a DBA, the owner of the instance, or the owner of data security protection for the instance:
  • Enable access from the Internet. To allow local programs or programs that do not reside in the same virtual private cloud (VPC) as the instance to access the instance, click Open to obtain the public proxy endpoints.
  • Edit the database account that is used to log on to the instance. You can click the Edit icon next to Database Account to edit the database account.

What to do next

A user must be authorized to use the data security protection feature to access a database instance. For more information, see Authorize a user to access a database instance by using proxy endpoints.

Related API operations

Operation Description
CreateProxy Enables the data security protection feature for a database instance.
DeleteProxy Disables the data security protection feature for a database instance.