This topic describes the alert rules for the operation compliance of RDS instances. You can configure and enable alert rules in the Simple Log Service console to monitor the operation compliance of RDS instances. If an alert is triggered, you can identify the error cause and fix the error at the earliest opportunity.
Alert rules
The following alert rules are supported. For information about how to set alert parameters, configure whitelists, and perform other relevant operations, see Configure alerts.
RDS Instance SQL Insight Disabled Alert
ID | sls_app_audit_cis_at_rds_sql_audit |
Name | RDS Instance SQL Insight Disabled Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance |
Usage | Monitors whether the SQL Explorer feature is disabled for an RDS instance. The SQL Explorer feature must be enabled for RDS instances. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8. |
External Configurations | You can specify a whitelist of accounts that can disable the SQL Explorer feature for RDS instances. If the SQL Explorer feature is disabled by an account on the whitelist, no alert is triggered. |
Solution | Do not disable the SQL Explorer feature for an RDS instance by using an account that is not included in the whitelist. |
Prerequisites | The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Instance Access Whitelist Abnormal Setting Alert
ID | sls_app_audit_cis_at_rds_access_whitelist |
Name | RDS Instance Access Whitelist Abnormal Setting Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance |
Usage | Monitors whether the whitelist of IP addresses to access RDS instances is invalid. The IP address on the whitelist to access an RDS instance cannot be set to 0.0.0.0. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8. |
External Configurations | You can specify a whitelist of accounts. If an RDS instance belongs to an account on the whitelist and the whitelist of IP addresses to access the instance is set to 0.0.0.0, no alert is triggered. |
Solution | Allow only the RDS instance that belongs to an account on the whitelist to set the whitelist IP address to 0.0.0.0 |
Prerequisites | The Operations Log switch is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
Newly Created RDS Instance's SSL Not Enabled AlertNot CreatedEnable Settings
ID | sls_app_audit_cis_at_rds_ssl_off |
Name | Newly Created RDS Instance's SSL Not Enabled AlertNot CreatedEnable Settings |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance |
Usage | Monitors whether the SSL feature is disabled for newly created RDS instances. We recommend that you enable the SSL feature within 1 hour after you create an RDS instance. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last hour is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8. |
External Configurations | You can specify a whitelist of accounts. If an RDS instance belongs to an account on the whitelist and the SSL feature is not enabled for the instance, no alert is triggered. |
Solution | If an RDS instance does not belong to an account in the whitelist, we recommend that you enable the SSL feature within 1 hour after you create the instance. |
Prerequisites | The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
Newly Created RDS Instance's TDE Not Enabled Alert
ID | sls_app_audit_cis_at_rds_tde_off |
Name | Newly Created RDS Instance's TDE Not Enabled Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance |
Usage | Monitor whether TDE is disabled for a newly created RDS instance. We recommend that you enable TDE within 1 hour after you create an RDS instance. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last hour is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: Medium-6. |
External Configurations | You can specify a whitelist of accounts. If an RDS instance belongs to an account on the whitelist and TDE is not enabled for the instance, no alert is triggered. |
Solution | If an RDS instance does not belong to an account on the whitelist, we recommend that you enable TDE within 1 hour after you create the RDS instance. |
Prerequisites | The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Instance SSL Disabled Alert
ID | sls_app_audit_cis_at_rds_ssl_config |
Name | RDS Instance SSL Disabled Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance |
Usage | Monitors if the SSL feature is disabled for RDS instances. We recommend that you do not disable the SSL feature for RDS instances. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8. |
External Configurations | You can specify a whitelist of accounts. If an RDS instance belongs to an account on the whitelist and the SSL feature is disabled for the instance, no alert is triggered. |
Solution | Do not disable the SSL feature for an RDS instance that is not included in the whitelist. |
Prerequisites | The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Instance Configuration Change Alert
ID | sls_app_audit_cis_at_rds_conf_change |
Name | RDS Instance Configuration Change Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, and RDS Operation Compliance |
Usage | Monitors whether the configurations of RDS instances are changed. If the configurations of an RDS instance are changed, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: Low-4. |
External Configurations | You can specify a whitelist of accounts. If an RDS instance belongs to an account on the whitelist and the configurations of the instance are changed, no alert is triggered. |
Solution | Check whether an exception occurs on the RDS instance that triggered the alert. |
Prerequisites | The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |