All Products
Search

This Product

    :How to secure database access through DMS

    Document Center

    :How to secure database access through DMS

    Last Updated:Sep 30, 2020

    This section describes how to use DMS authorization to secure database access.

    Issues

    Issue one

    In big companies, some employees are still sharing Alibaba Cloud accounts for convenience, but this will lead to security issues.

    • When multiple employees have advanced privileges, the chances of a system failure are high. For example, multiple employees are authorized to release resources or restart database instances.

    • It is difficult to specify the operations performed by the employees. This makes it impossible to audit these operations.

    Issue two

    If your Alibaba Cloud account is hacked by attackers or former employees, the security of data will be greatly compromised.

    Issue three

    As companies break responsibilities down into small and manageable components, system privileges should be minimized to avoid potential security risks.

    Fixes

    Fix one: Perform authorization to avoid sharing Alibaba Cloud accounts

    You can use user authorization to grant employees access to RDS and NoSQL instances. Employees can use RAM user accounts and other Alibaba Cloud corporate or personal accounts.

    Fix two: Use audit log to audit the operations performed by employees

    You can use audit log to review which accounts have logged on to database instances and what operations have been performed, as shown in the following figure:

    Audit log

    Fix three: Use access address authorization to control database access by IP address

    You can use access address authorization to control database access by IP address. Even if your Alibaba Cloud accounts are hacked, attackers cannot access your database in DMS because their IP addresses are not whitelisted.

    Fix four: Use function restrictions to prevent employees from accessing specific features

    You can use function restrictions to prevent employees from exporting data. This lowers the risk of data exposure.

    Secure database access procedure

    To log on to databases in DMS, you need to pass four layers of security authentication.

    • Alibaba Cloud account (Required)

    • Access address authorization

    • User authorization/Function restrictions

    • Database account (Required)