Specific Alibaba Cloud services provide API operations to allow you to create accounts and grant permissions on assets to the account. Data Security Center (DSC) provides the asset discovery feature to help you identify assets in a convenient and efficient manner and supports calling operations of cloud services to establish one-way read-only access from DSC to the cloud services by using Security Token Service (STS) tokens. This way, DSC can identify sensitive data in assets such as databases, tables, and buckets to ensure data security.
One-click connection description
Supported asset types: ApsaraDB RDS, PolarDB, PolarDB for Xscale (PolarDB-X), PolarDB-X 2.0, ApsaraDB for Redis, Object Storage Service (OSS), Tablestore, and MaxCompute.
Account description: If you click Connect for an asset on the Authorization Management tab, DSC adds a read-only account to the asset and uses the read-only account to connect to the asset to run data identification tasks.
Security compliance description
The following figure shows the complete lifecycle of asset authorization. To implement one-click connections, you must create a service-linked role and grant the required permissions to the service-linked role. Alibaba Cloud creates an account based on the granted permissions to identify assets. After DSC expires, Alibaba Cloud deletes the account and does not pull or retain data.
You can use DSC to scan and identify assets. This helps you obtain the real-time security status of the assets.
Create a service-linked role for DSC and grant the required permissions to the service-linked role
Before you use DSC, you must authorize DSC to access Alibaba Cloud resources. After you purchase DSC, you must grant the required permissions to the service-linked role named AliyunServiceRoleForSDDP that is created for DSC. For more information, see Authorize DSC to access Alibaba Cloud resources.
Identify assets
After you purchase DSC and complete authorization, the AliyunServiceRolePolicyForSDDP policy is attached to the service-linked role AliyunServiceRoleForSDDP. This way, DSC can call operations. DSC calls operations on a daily basis to detect cloud assets within the account.
You can manually trigger a data identification task by performing the following operations: Go to the DSC console, click Asset Center. On the Authorization Management tab, click Asset Authorization Management. In the Asset Authorization Management panel, click Asset synchronization. You can specify an asset type in the data identification task.
Create an account and grant the required permissions
If you click Connect for an asset on the Authorization Management tab, DSC calls the operations of the required cloud service to create a read-only account and grant the read-only permissions on the asset to the read-only account.
Configure an IP address whitelist
When you connect DSC to an asset, DSC adds a whitelist named ali_sddp_group to the asset. This way, DSC can obtain the database information about the asset. The whitelist records the IP addresses used by DSC. The IP addresses vary based on the region.
Perform reverse access authorization
The identification engine of DSC is located in a virtual private cloud (VPC), the management server of DSC is located in the classic network, and the instance to which the required asset belongs is located in the sales region. When you perform asset identification and authorization, DSC uses the reverse access feature. This way, the management server and the identification engine of DSC can establish one-way access to the instance in the sales region.
Perform a connectivity check
After you authorize DSC to access an asset, the connection status of the asset is Testing Connectivity. The management server of DSC checks the network connectivity to the asset every 30 seconds to check whether the read-only account can be used to log on to the asset. For an OSS asset, you must also check whether the asset exists or whether the destination bucket exists. If you can log on to the asset, the connection status changes to Connected. If you cannot log on to the asset, the connectivity check fails. If the connectivity check fails for 10 consecutive times, the connection status changes to Connection Failed.
Delete an account
DSC deletes read-only accounts that are generated when you perform one-click connections 15 days after DSC expires.
References
For more information about how to purchase DSC, see Purchase DSC.
Before a Resource Access Management (RAM) user can access or manage DSC, you must grant the required permissions to the RAM user. For more information, see Authorize a RAM user to access DSC.
For more information about how to authorize DSC to access an asset and connect DSC to the asset to scan the asset, see Authorize DSC to access database, Authorize DSC to access unstructured data in OSS and Simple Log Service, and Authorize DSC to access MaxCompute.