Configure whitelist rules for accounts, IPs, and IP ranges for audit alerts and anomaly alerts - Data Security Center

Data Security Center (DSC) provides a system whitelist feature. You can add trusted IP addresses and data assets, such as asset types, instances, databases, tables, accounts, and operation types, to a whitelist. DSC does not generate audit alerts for risky behaviors that originate from whitelisted data assets or IP addresses. This helps reduce invalid alerts. This topic describes how to add, edit, and delete system whitelists.

Prerequisites

You have granted authorization for the data assets that support whitelist configuration:

Data assets in RDS, PolarDB, PolarDB-X, OceanBase, Table Store, AnalyticDB for MySQL, and AnalyticDB for PostgreSQL. For more information, see Authorize generic databases.
Data assets in OSS. For more information, see Authorize unstructured data (OSS and SLS).
Data assets in MaxCompute. For more information, see Authorize MaxCompute.

Background information

DSC provides audit alert detection for risky activities on authorized data assets. This feature is enabled by default and uses built-in audit alert rules.

The built-in audit rule types include abnormal operation rules, data breach rules, vulnerability attack rules, SQL injection rules, and risky operation rules. You can also add and enable custom audit rules. For more information, see Configure and enable audit alert rules.

If you confirm that database activities from specific IPs or accounts are normal, you can add a whitelist rule. If a subsequent check hits a whitelist rule, DSC does not generate alerts for the corresponding database or OSS operations or events.

When you handle an audit alert, if you choose to add the source to the whitelist, the whitelisted account or IP address is added to the system whitelist. The whitelist rule name is in the format Alert time + Audit alert rule name, for example, 2024-05-21 20:58:09 OSS rule test. For more information, see View and handle audit alerts.

Limits

In a single whitelist rule:

You can select only one asset type.
You must set at least one account, IP address, or IP range.
The total number of IP addresses or IP ranges cannot exceed 10. The number of accounts cannot exceed 10.
If a rule includes multiple items in different categories, such as multiple instances and multiple accounts, a logical AND is applied between the categories. A logical OR is applied between items within the same category. For example, if you configure a rule with Instance A, Instance B, Account A, and Account B, the logic is (Instance A OR Instance B) AND (Account A OR Account B).

When changes take effect

After you add, edit, or delete a system whitelist, the change takes effect for all audit alerts within one minute.

Add a whitelist rule

You can add specific data assets, IP addresses, or IP ranges to the system whitelist to exempt them from monitoring and audit detection.

Log on to the Data Security Center console.
In the left-side navigation pane, select System Settings > Whitelist.
On the Whitelist page, click Add Whitelist.

In the Add Whitelist dialog box, configure the parameters and click OK.

Parameter	Description
Rule Name	Enter a custom name for the whitelist rule. Use a name that is easy to identify. The name can be up to 100 characters in length.
IP	Enter the IP addresses or IP ranges to add to the whitelist. You can enter up to 10 IP addresses or IP ranges. Use line breaks or commas to separate multiple entries.
Data Asset	Select an asset type, and then select the corresponding assets as prompted on the page, such as the instance, database, table name, and account for an RDS asset. You can select multiple asset instances and accounts. Click the Account drop-down list and click Add Custom Account at the end of the account list to enter multiple custom accounts.
Operation Type	The default value is all operation types. You can select one or more operation types for the data asset as needed.

After you add the whitelist rule, you can search for and view the rule in the list of whitelist rules. You can filter the rules by asset type, rule name, or other conditions.

Edit or delete a whitelist rule

To re-enable detection and audit alerts for data assets associated with a specific IP or account, you can edit or delete the corresponding whitelist rule.

Note

When you edit an existing whitelist rule, you cannot modify the asset type.

Log on to the Data Security Center console.
In the left-side navigation pane, select System Settings > Whitelist.
Find the target whitelist rule and click Edit or Delete in the Actions column to modify or delete the rule.

References

You can use Alibaba Cloud SDKs to call the following API operations to query information about authorized data assets. For information about the languages and dependency installation methods supported by Data Security Center, see Data Security Center SDK. For instructions on how to integrate Alibaba Cloud SDKs, see Alibaba Cloud SDK.

To query the list of authorized assets, see DescribeParentInstance.
To query the list of authorized instances, databases, and buckets, see DescribeDataLimits.
To query the list of authorized instances, databases, or buckets for a specific product, see DescribeDataLimitSet.

FAQ

When I configure a whitelist, can I add custom accounts? How many can I add?
Yes, you can. The total number of accounts in a single whitelist rule cannot exceed 10.
When I configure a whitelist rule in the console, why can't I select the databases or data tables from my authorized data assets?
This may be because the scan task for the authorized data assets is not complete. You must wait for the identification task to finish scanning. For more information, see Scan for sensitive data using an identification task.
Why are audit alerts still generated for a target data asset instance that I have already added to a whitelist?
This can occur if the whitelist rule is invalid. A rule is considered invalid if it does not specify any accounts, IP addresses, or IP ranges.