Checks whether a dynamic ApsaraDB RDS secret is created for each ApsaraDB RDS instance. If so, the evaluation result is Compliant.
This rule applies when you need to create dynamic ApsaraDB RDS secrets and enable periodical auto-rotation for the secrets. This reduces the risk of secret leaks.
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If a dynamic ApsaraDB RDS secret is created for each ApsaraDB RDS instance, the evaluation result is Compliant.
- If no dynamic ApsaraDB RDS secret is created for each ApsaraDB RDS instance, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
|Automatic remediation||Not supported|
|Trigger type||Periodic execution|
|Evaluation frequency||Interval of 24 hours|
|Supported resource type||ApsaraDB RDS instance|
Create a dynamic ApsaraDB RDS secret for an ApsaraDB RDS instance. For more information, see Manage dynamic ApsaraDB RDS secrets.