All Products
Search

This Product

    Database Autonomy Service:Security management

    Document Center

    Database Autonomy Service:Security management

    Last Updated:Jan 14, 2026

    Database Autonomy Service (DAS) provides a proactive security protection system that covers the entire database lifecycle. It automatically detects and manages potential security risks. This topic describes three key features: security baseline checks to prevent insecure configurations, SSL certificate management to secure data in transit, and cross-engine whitelist templates to centrally manage database network access. Together, these features help you manage database security more efficiently and reliably.

    Security baseline check

    Feature description

    The security baseline check feature in DAS provides a fully automated security assessment service for your databases. It periodically scans database instances based on industry standards and security best practices to quickly identify security risks such as weak passwords, permission abuse, and missing audit logs. It also provides professional remediation suggestions. The feature supports centralized checks for multiple database types and performs 24/7 automated inspections without manual intervention. This helps you continuously optimize security configurations and improve your data security.

    Usage notes

    Database Region:

    • Public cloud

      China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Heyuan), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Ulanqab), Indonesia (Jakarta), US (Virginia), US (Silicon Valley), Japan (Tokyo), Germany (Frankfurt), UK (London), Philippines (Manila), Malaysia (Kuala Lumpur), Singapore, and China (Hong Kong).

    • Finance Cloud

      China (Hangzhou) Finance Cloud, China (Shanghai) Finance Cloud, China (Beijing) Finance Cloud (invitational preview), and China (Shenzhen) Finance Cloud.

    User guide

    1. Log on to the DAS console.

    2. In the navigation pane on the left, choose Security Center > Global Security Management.

      • If this is your first time accessing the service, the purchase page for the Security Management service appears. Click Purchase Now. The Enable Security Management Service dialog box opens.

      • In the Select Instance section, select the instances to add.

      • In the Security Scenario configuration section:

        • Select Security Management, then select an appropriate quota in the Security Management Quota section.

        • Select Sensitive Identification & Column Encryption if required.

      • Click Submit to confirm the configuration and enable the service.

    3. On the Global Security Management page, click the Security Baseline Check tab.

      • Initiate Inspection: Click Initiate Inspection. In the dialog box that appears, select the instances to inspect, click image to move them to the right pane, and then click OK to start the security inspection.

        Note

        • The instances on the Instances page must have Enable Security Center. To open this page, click Cloud Instances in the Initiate Inspection dialog box. Then, in the Security Services column for the target instance, click Activate to complete the authorization.

        • A security inspection is a time-consuming operation. The time required varies from a few minutes to tens of minutes, depending on the number and complexity of your instances. You do not need to wait for the task to complete. You can return to this page later to view the inspection results.

        image

      • Inspection List: The inspection results are displayed in a list on the page. Each row represents an instance.

        Note

        The system uses color-coded tags to indicate the results: red for high-risk, yellow for warning, and green for secure.

        image

      • View details: In the Actions column for the target inspection task, click Details.

        Note

        In the dialog box that appears, you can click Inspect Again at the bottom to inspect the current instance.

        image

      • Download: Click the download image icon in the upper-right corner of the inspection list to download the inspection results for the current list.

        image

      • Inspection Subscription: You can enable the inspection subscription service using the switch in the upper-right corner.

        Note

        After you enable the subscription service, Alibaba Cloud sends you security notifications through channels such as internal messages and text messages when the following events occur.

        • Alibaba Cloud receives or discovers new security threat intelligence.

        • Regulatory authorities such as the Cyberspace Administration of China issue new compliance requirements.

        image

    Check items and remediation suggestions

    Check item

    Detection rule

    Description

    Core remediation suggestion

    Weak Password

    • High-risk: A user with a weak password exists.

    • Secure: No users with weak passwords were found.

    Checks whether any accounts use weak passwords.

    Note

    • Detection model

      • Matches against a dictionary library that contains over 10,000,000 common weak password combinations and newly discovered weak passwords provided in collaboration with Alibaba Cloud Security.

      • Supports rapid batch detection for various password strength policies.

    • Protection measure: Triggers a security alert when an account with a weak password is detected.

    Change the password to a high-complexity password. The password must meet the following requirements:

    • 8 to 32 characters in length.

    • Contains at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.

    • The special characters are !@#$%^&*()_+-=.

    • For more information about how to change a database password, see the following topics:

    Whitelist

    • High-risk: The whitelist is configured with 0.0.0.0/0, which allows all access.

    • Warning: A large CIDR block, such as /8, is configured for a public IP address.

    • Secure: No high-risk whitelist configurations exist.

    Checks whether any IP address whitelists violate security standards.

    Note

    A whitelist security risk is defined as an instance that allows public network access and has a whitelist configured with 0.0.0.0/0 or a large public IP address range, such as /8.

    Remove unnecessary public IP addresses to ensure that only trusted IP addresses can access the instance.

    SSL Certificate

    • Warning: SSL is not enabled for the instance.

    • Secure: SSL is enabled for the instance.

    Checks whether Secure Sockets Layer (SSL) encryption is enabled for database connections.

    We strongly recommend that you enable SSL for databases that are accessed over the public network to ensure data security in transit.

    Backup

    • High-risk: No backup set was generated in the last 7 days.

    • Warning: A backup set was generated in the last 2 to 7 days.

    • Secure: A backup set was generated within the last day.

    The creation time of the latest backup set, which is affected by the backup policy.

    Note

    • PolarDB-X 2.0 is not supported.

    • If an instance does not have an automatic backup policy configured, it is marked as high-risk if no backup set is generated for seven consecutive days.

    To handle unexpected events and ensure business continuity, back up your databases in advance. Set a backup cycle, such as daily or weekly, based on your business needs to ensure data security and recoverability.

    Audit

    • Warning: The audit log is not enabled.

    • Secure: The audit log is enabled.

    Checks whether the audit log feature is enabled.

    Enable audit logs for post-event traceability and real-time threat detection.

    TDE

    • Warning: The TDE feature is not enabled.

    • Secure: The TDE feature is enabled.

    Checks whether the transparent data encryption (TDE) feature is enabled.

    To ensure data security, we strongly recommend that you enable TDE to secure data at rest.

    KMS Key

    • High-risk: The KMS key used by the instance is not active.

    • Secure: The KMS key used by the instance is active.

    Checks whether the KMS key used by the instance is active.

    Note

    If TDE is not enabled, the KMS field displays 'Not applicable'.

    Go to the Key Management Service console, select the region of the instance, and enable the corresponding key.

    SSL certificate management

    Feature description

    An SSL Certificate is a critical security mechanism that encrypts data transmitted between a client and a database, which prevents eavesdropping and tampering. The SSL certificate management feature in DAS helps you centrally monitor the certificate status of all your database instances, promptly detect potential risks, and prevent application connection interruptions caused by expired certificates. The system provides automatic expiration warnings, one-click updates, and a centralized download portal to make certificate management more convenient and secure.

    Usage Notes

    • The target database instance is connected to DAS.

    • The database instance is:

      • ApsaraDB RDS for MySQL

      • PolarDB for MySQL

    • When a Resource Access Management (RAM) user uses the SSL certificate management feature, the RAM user must be granted the AliyunHDMReadOnlyAccess or AliyunHDMFullAccess permission. For more information, see How can a RAM user use DAS?.

    • SSL for proxies is not included in the statistics.

    User guide

    1. Log on to the DAS console.

    2. In the navigation pane on the left, choose Security Center > Global Security Management.

    3. On the Global Security Management page, click the SSL Certificate tab.

      Note

      • Enabled Instances: The number of fully or partially enabled instances divided by the total number of connected instances.

      • In the primary table, you can click an Instance ID to navigate to the Basic Information page of the instance in the corresponding console. You can also click Details to navigate to the SSL Management page of the instance, where you can modify SSL settings.

      image

      Primary table

      SSL Certificate Status

      The overall SSL status of the instance. Options include Enabled, Partially Enabled, and Not Enabled.

      Note

      • Only endpoints that support the SSL feature are included in the statistics.

      • For ApsaraDB RDS for MySQL instances, SSL cannot be enabled on a per-endpoint basis and does not require endpoint-specific awareness. The SSL information in the child table is the same as the SSL information for the instance. Therefore, ApsaraDB RDS for MySQL instances only have Enabled and Not Enabled statuses.

      • For PolarDB for MySQL instances, SSL is supported for three endpoint types: primary endpoint, cluster endpoint, and custom endpoint.

      SSL Certificate Expiration

      The earliest expiration time among all SSL certificates for the instance's endpoints.

    4. Click the image icon to the left of the target instance to view the detailed SSL information for that instance.

      image

      Child table

      Endpoint ID

      This field is empty for ApsaraDB RDS for MySQL instances. For PolarDB for MySQL instances, this corresponds to the EndpointId field on the Basic Information page in the instance console.

      Endpoint Type

      This field is empty for ApsaraDB RDS for MySQL instances. For PolarDB for MySQL instances, options include primary endpoint, cluster endpoint, and custom endpoint.

      SSL-protected Endpoint

      The SSL-encrypted connection endpoint for the instance.

      SSL Certificate Status

      The SSL status for the instance endpoint. Options include Enabled and Not Enabled.

      Note

      When the certificate status is Not Enabled, the SSL-protected Endpoint, SSL Certificate Type, and SSL Certificate Expiration fields are empty.

      SSL Certificate Type

      The type of SSL certificate for the instance endpoint. Options include Issued by Database and User-defined, which correspond to Use Cloud Certificate and Use Custom Certificate, respectively.

      Note

      PolarDB for MySQL does not support custom certificates.

      SSL Certificate Expiration

      The expiration time of the SSL certificate for the instance endpoint.

      Note

      All SSL certificate expiration times are displayed in the user's browser time zone.

    Cross-engine whitelist template

    Feature description

    The cross-engine whitelist template feature in DAS lets you uniformly manage and batch-configure network access permissions across different types of database engines for centralized operations and maintenance (O&M). If you have multiple database instances that require the same IP address whitelist, you can edit a single template to automatically synchronize the changes to all associated instances. This significantly improves O&M efficiency, reduces the risk of configuration errors from manual operations, and unifies access control management across database engines.

    Usage Notes

    • The database engine is one of the following types:

      ApsaraDB RDS for MySQL, ApsaraDB RDS for PostgreSQL, PolarDB for MySQL, PolarDB for PostgreSQL, and Tair (Redis OSS-compatible).

    • Database region:

      China (Hangzhou), China (Shanghai), China (Nantong), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), UK (London), US (Virginia), US (Silicon Valley), Singapore, Philippines (Manila), Thailand (Bangkok), Germany (Frankfurt), UAE (Dubai), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and South Korea (Seoul).

    • A whitelist template can contain up to 1,000 whitelist rules. A rule can be a specific IP address or a CIDR block. Exceeding this limit will cause the modification of the IP address whitelist or the association of the whitelist template to fail.

    • A whitelist template can be associated with up to 500 instances.

    • A user can create up to 100 whitelist templates in a single region.

    • An instance can be associated only with IP address whitelist templates in the same region. A single instance can be associated with multiple IP address whitelist templates.

    • Operations on a whitelist template take effect immediately. Operations on the IP address whitelist groups of associated instances take effect in about one minute.

    • If a whitelist template is associated with multiple instances, modifying the template affects all associated instances. Evaluate the impact before you proceed.

    • Deleting a whitelist template dissociates all associated instances from the IP address whitelist group. We recommend that you first dissociate the instances before you delete the template.

    • Cross-engine whitelist templates attached in DAS are not displayed in the consoles of the corresponding RDS and Tair instances.

    User guide

    1. Log on to the DAS console.

    2. In the navigation pane on the left, choose Security Center > Global Security Management.

    3. On the Global Security Management page, click the Whitelist Template tab.

      • To create a whitelist template, click Create IP Whitelist Template. In the panel that appears on the right, enter a Whitelist Template Name and the IP Addresses in Whitelist, select a Region, and then click OK.

        Note

        • Setting the whitelist IP address range to 0.0.0.0/0 opens access to all networks. Use this setting with caution.

        • If you set the whitelist IP address to only 127.0.0.1, all external access is prohibited. If other IP addresses or address ranges are also configured, 127.0.0.1 does not take effect.

        • The whitelist in a newly created group takes effect in about one minute.

      • To modify a whitelist template, find the template in the list and click Modify in the Actions column. In the panel that appears, modify the template name and the IP addresses or CIDR blocks. Click OK.

        Important

        After a whitelist template is modified, the changes are applied to all instances associated with the template.

      • To associate or dissociate instances: Find the target template in the list and click Associate Instance in the Actions column. In the panel that appears on the right, perform the required operations and click OK.

        1. Select the product type to associate.image.png

        2. After you select a product, select the engine type to associate.image

        3. In the All Instances pane on the left, you can search for instances and associate them in batches. After you select instances, they appear in the Change Overview > Instances to Be Associated list.

          image

          Note

          To dissociate an instance, simply clear its check box. After you clear the check box, the instance appears in the Change Overview > Instances to Be Disassociated list.image

      • To delete a whitelist template, find the target template in the list and click Delete in the Actions column. In the dialog box that appears, click OK.

        Important

        • Deleting a whitelist template dissociates all instances associated with it and removes the rules from this template in all associated instances. This operation does not affect the instance's own whitelist or other attached whitelist templates.

        • If an instance is attached to multiple templates that contain duplicate whitelist data, deleting one of the templates does not remove the duplicate whitelist data.