All Products
Search
Document Center

Cloud Config:BestPracticesForDataBase

Last Updated:Sep 20, 2023

The BestPracticesForDataBase compliance package checks the compliance in the encryption and Resource Access Management (RAM) settings of ApsaraDB RDS, ApsaraDB for Redis, ApsaraDB for MongoDB, and PolarDB instances to prevent data breach risks. This topic describes the rules that are provided in the BestPracticesForDataBase compliance package.

Rule name

Description

mongodb-cluster-expired-check

Checks whether the duration between the expiration date and the check date of each subscription ApsaraDB for MongoDB cluster is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. If auto-renewal is enabled for a cluster, the evaluation result is also Compliant.

hbase-cluster-expired-check

Checks whether the duration between the expiration date and the check date of each subscription ApsaraDB for HBase cluster is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30.

rds-instance-enabled-safety-security-ip

Checks whether each ApsaraDB RDS instance uses enhanced whitelists. If so, the evaluation result is Compliant.

polardb-cluster-category-normal

Checks whether the edition of each PolarDB instance is Cluster Edition or Multi-master Cluster Edition. If so, the evaluation result is Compliant. Proceed with caution when you use standalone databases. These databases provide slow failovers.

redis-instance-release-protection

Checks whether the release protection feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant.

redis-instance-disable-risk-commands

Checks whether high-risk commands are disabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant.

hbase-cluster-type-check

Checks whether the edition of each PolarDB instance is Cluster Edition. If so, the evaluation result is Compliant.

hbase-cluster-in-vpc

Checks whether the network type of each ApsaraDB for HBase cluster is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant.

Checks whether the VPC where each ApsaraDB for HBase cluster resides is the same as a specified VPC when the vpcIds parameter is configured. If so, the evaluation result is also Compliant.

hbase-cluster-ha-check

Checks whether high-availability configurations are enabled for each ApsaraDB for HBase cluster. If so, the evaluation result is Compliant.

hbase-cluster-deletion-protection

Checks whether the deletion protection feature is enabled for each ApsaraDB for HBase cluster. If so, the evaluation result is Compliant.

mongodb-instance-release-protection

Checks whether the release protection feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant.

mongodb-instance-lock-mode

Checks whether no ApsaraDB for MongoDB instance is locked. If so, the evaluation result is Compliant.

mongodb-instance-log-audit

Checks whether the audit log feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant.

rds-instance-expired-check

If you use subscription resources, you must renew the resources before they expire. This prevents your instances from being stopped due to expired resources. Checks whether the duration between the expiration date and the check date of each subscription resource is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. For pay-as-you-go resources, the evaluation result is Not Applicable.

polardb-cluster-expired-check

If you use subscription resources, you must renew the resources before they expire. This prevents your instances from being stopped due to expired resources. Checks whether the duration between the expiration date and the check date of each subscription resource is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. If auto-renewal is enabled for an instance, the evaluation result is also Compliant. For pay-as-you-go resources, the evaluation result is Not Applicable.

redis-instance-expired-check

Checks whether the duration between the expiration date and the check date of each subscription ApsaraDB for Redis instance is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. If auto-renewal is enabled for an instance, the evaluation result is also Compliant. For pay-as-you-go resources, the evaluation result is Not Applicable.

rds-instance-enabled-auditing

Checks whether the SQL explorer and audit feature is enabled. If so, the evaluation result is Compliant.

rds-public-access-check

Checks whether no public endpoint is configured for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. We recommend that you do not configure direct access to ApsaraDB RDS instances in production environments over the Internet to prevent cyberattacks.

rds-high-availability-category

Checks whether the edition of each ApsaraDB RDS instance is High-availability. If so, the evaluation result is Compliant. We recommend that you use High-availability ApsaraDB RDS instances. If you use Basic Edition ApsaraDB RDS instances, the stability of your system may not be ensured. Proceed with caution.

rds-instances-in-vpc

Checks whether the network type of each ApsaraDB RDS instance is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant.

Checks whether the VPC where each ApsaraDB RDS instance resides is the same as a specified VPC when the vpcIds parameter is not configured. If so, the evaluation result is also Compliant. Separate multiple parameter values with commas (,).

rds-multi-az-support

Checks whether each ApsaraDB RDS instance uses the multi-zone architecture. If so, the evaluation result is Compliant.

rds-instance-enabled-ssl

Checks whether the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is Compliant.

rds-instance-enabled-tde

Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is Compliant.

redis-instance-in-vpc

Checks whether the network type of each ApsaraDB for Redis instance is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant.

Checks whether the VPC where each ApsaraDB for Redis instance resides is the same as a specified VPC when the vpcIds parameter is configured. If so, the evaluation result is also Compliant.

redis-public-access-check

Checks whether 0.0.0.0/0 is added to the IP whitelist of each ApsaraDB for Redis instance. If not, the evaluation result is Compliant.

redis-architecturetype-cluster-check

Checks whether the edition of each ApsaraDB for Redis instance is Cluster Edition. If so, the evaluation result is Compliant.

mongodb-public-access-check

Checks whether 0.0.0.0/0 is added to the IP whitelist of each ApsaraDB for MongoDB instance. If not, the evaluation result is Compliant.

mongodb-instance-in-vpc

Checks whether the network type of each ApsaraDB for MongoDB instance is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant.

Checks whether the VPC where each ApsaraDB for MongoDB instance resides is the same as a specified VPC when the vpcIds parameter is configured. If so, the evaluation result is also Compliant.

polardb-public-access-check

Checks whether 0.0.0.0/0 is added to the IP whitelist of each PolarDB instance. If not, the evaluation result is Compliant.

polardb-dbcluster-in-vpc

Checks whether the network type of each PolarDB instance is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant.

Checks whether the VPC where each PolarDB instance resides is the same as a specified VPC when the vpcIds parameter is configured. If so, the evaluation result is also Compliant.

rds-instance-sql-collector-retention

Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS for MySQL instance and whether the number of days for which SQL audit logs can be retained is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 180.

rds-event-log-enabled

Checks whether the event history feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant.

rds-instance-enabled-security-ip-list

Checks whether an IP address whitelist is configured for each ApsaraDB RDS instance and 0.0.0.0/0 is not added to the IP address whitelist. If so, the evaluation result is Compliant.