This section describes how to use DMS authorization to secure database access.
Issues
Issue one
In big companies, some employees are still sharing Alibaba Cloud accounts for convenience, but this will lead to security issues.
When multiple employees have advanced privileges, the chances of a system failure are high. For example, multiple employees are authorized to release resources or restart database instances.
It is difficult to specify the operations performed by the employees. This makes it impossible to audit these operations.
Issue two
If your Alibaba Cloud account is hacked by attackers or former employees, the security of data will be greatly compromised.
Issue three
As companies break responsibilities down into small and manageable components, system privileges should be minimized to avoid potential security risks.
Fixes
Fix one: Perform authorization to avoid sharing Alibaba Cloud accounts
You can use user authorization to grant employees access to RDS and NoSQL instances. Employees can use RAM user accounts and other Alibaba Cloud corporate or personal accounts.
Fix two: Use audit log to audit the operations performed by employees
You can use audit log to review which accounts have logged on to database instances and what operations have been performed, as shown in the following figure:
Fix three: Use access address authorization to control database access by IP address
You can use access address authorization to control database access by IP address. Even if your Alibaba Cloud accounts are hacked, attackers cannot access your database in DMS because their IP addresses are not whitelisted.
Fix four: Use function restrictions to prevent employees from accessing specific features
You can use function restrictions to prevent employees from exporting data. This lowers the risk of data exposure.
Secure database access procedure
To log on to databases in DMS, you need to pass four layers of security authentication.
Alibaba Cloud account (Required)
Access address authorization
User authorization/Function restrictions
Database account (Required)