You can perform authorization to do the following:
Grant RDS read-only permissions to developers without sharing Alibaba Cloud resource accounts
Authorize one RAM user to manage a specified RDS instance
Review the data that has been accessed by each user
1. Grant RDS read-only permissions to developers without sharing Alibaba Cloud resource accounts
Use Alibaba Cloud corporate accounts to manage staff accounts.
You can add staff accounts to your Alibaba Cloud corporate account. A staff account can be an Alibaba Cloud individual account or a RAM user account.
Note: Your Alibaba Cloud corporate account can be used as a primary account. However, you can also add this account to other Alibaba Cloud accounts.
DMS supports the following two types of account: Alibaba Cloud account and RAM user account.
Click here to register an Alibaba Cloud account or click here to create a RAM user account
Grant database access to developers.
Create a read-only database account.
Log on to the RDS console, go to the management page of your database instance, and click Accounts to create a database account.Developers log on to the DMS console with the new Alibaba Cloud account and specify the instance endpoint, read-only database username, and password.
2. Authorize one RAM user to manage a specified RDS instance
Method one
Grant RDS access to a RAM user.
The RAM user logs on to the DMS console and specifies the RDS instance endpoint, database username, and password.
Method two
{
"Statement": [
{
"Action": "dms:LoginDatabase",
"Effect": "Allow",
"Resource": "acs:rds:*:*:dbinstance/$dbinstanceid"
}
],
"Version": "1"
}
Note: $dbinstanceid represents the RDS instance ID.
3. Review the data that has been accessed by each user
DMS provides the security audit feature that allows primary accounts to review all database operations performed by authorized users and check operation logs.
Audit analysis: provides information about frequently accessed instances, active users, and frequently executed database operations.
Audit log: provides operation logs related to specified users.