# rds-security-general Part of **RDS** > 💡 **Path Selection**: This skill is one implementation path for [Configure database security settings and access control](../../intent/rds-configure-security/SKILL.md). If you're unsure which path to take, check the routing skill first. # ApsaraDB RDS Security Console Guide ## Operations Overview | Operation | Console Navigation Path | Prerequisites | Description | |----------|------------------------|---------------|-------------| | Manage Identity-Based Access | Console > RDS > Security > Identity-based Policies | User must have an Alibaba Cloud account; User must be assigned a role with administrative privileges | Create and manage identity-based policies to control resource access based on user roles | | Network Access Configuration | Console > ApsaraDB RDS > Instances > Network Management | An RDS instance already created; VPC and subnet configured if using VPC network | Configure network type (private/public) and security group settings for RDS instances | | Security Group Configuration | Console > RDS > Instances > Select Instance > Security Management | An RDS instance must be created and running; User must have sufficient permissions to modify security settings | Define inbound rules for security groups to control database access | | Switch Whitelist Mode | Console > RDS > Instances > Switch Whitelist Mode | An ApsaraDB RDS for MariaDB TX instance must exist; The instance must be in a VPC or classic network; You must have sufficient permissions to modify instance settings | Upgrade from standard to enhanced whitelist mode for improved network isolation | | Connect ECS to RDS | Console > RDS > Instances > Instance Details | ECS and RDS instances must be in the same region; Permissions to modify network settings of both instances | Establish internal network connections between ECS and RDS instances across different network configurations | | Configure Access Control | Console > ApsaraDB RDS > Instances > Data Security | An ApsaraDB RDS instance already created; Admin access to the RDS console | Set up IP address whitelists and database account permissions for access control | | Bulk Configure Whitelist | Console > ApsaraDB RDS > Instances > Whitelist Template | The RDS for MariaDB instance must have a public endpoint | Use templates to apply the same IP access rules to multiple RDS instances simultaneously | | Whitelist Configuration | Console > RDS > Instances > [Instance ID] > Whitelist and SecGroup | An ApsaraDB RDS instance must be created and running; User must have sufficient permissions to modify instance security settings | Configure IP address whitelists and manage whitelist templates for access control | | SSL Encryption | Console > RDS > Instances > Select Instance > Security Settings > SSL Encryption | An ApsaraDB RDS instance is created and running; The instance has network access enabled | Enable SSL encryption with standard or custom certificates for secure connections | | Configure Network Settings | Console > ApsaraDB RDS > Instances > Configure Network Settings | ApsaraDB RDS for MySQL instance created; Security group configured for the target database; VPC peering connection or CEN instance set up (for inter-VPC access) | Set up network configurations for native replication between RDS instances and external databases | | Change Security Group | Console > RDS Custom > Instance | A new security group must be created in the same VPC as the target RDS Custom instance | Modify the security group associated with an RDS instance | | Switch Instance Whitelist Mode | Console > Database Services > ApsaraDB RDS > Instances > Select Instance > Security Settings > Switch to Enhanced Whitelist Mode | The RDS instance must be running in either VPC or classic network; The instance should not be in a maintenance window; User must have sufficient RAM permissions to modify instance security settings | Change an RDS PPAS instance to enhanced whitelist mode for improved security | | Configure IP Whitelist | Console > Database Services > ApsaraDB RDS > Instances > Configure Whitelist | An ApsaraDB RDS for PPAS instance must be created; The instance must be in a running state; Access to the Alibaba Cloud console with appropriate permissions | Set up IP address whitelists to control access to RDS instances | | Enable HTTPS Access | RDS Console > AI App Development Supabase > Instance ID > Basic Information | An RDS Supabase instance in the Running state; An SSL certificate file and matching private key file bound to the instance's public IP address | Configure SSL encryption to enable secure HTTPS access on port 443 | | Configure Security Group | Console > RDS > Instances > Select Instance > Security Group | An ApsaraDB RDS for PostgreSQL instance is created; An ECS security group exists with the same network type (VPC or classic network) as the RDS instance | Associate ECS security groups with RDS PostgreSQL instances for network access control | | Use Whitelist Template | Console > RDS > Whitelist Template | Public endpoints enabled on the RDS instances | Configure and use whitelist templates for centralized IP management across multiple instances | | Configure Client CA Certificate | Instances > Data Security > SSL | SSL encryption enabled using a cloud certificate or custom certificate; OpenSSL installed | Set up client CA certificate for mutual TLS authentication | | Custom SSL Certificate | Console > Database > ApsaraDB RDS > Instances > Security > SSL Settings | The instance runs PostgreSQL 10 or later and uses cloud disks; Instances that use the serverless billing method are not supported; OpenSSL is installed | Configure custom certificates for SSL encryption | | Enforce SSL Connections | Console > RDS > Instances > [Instance] > Security > Client Access Control | SSL encryption is enabled on your RDS for PostgreSQL instance; Client CA certificate is configured for verifying client certificates | Require all client connections to use SSL encryption | | Enhanced Whitelist Mode | Console > RDS > Instances > [Instance ID] > Whitelist and SecGroup | An ApsaraDB RDS for PostgreSQL instance running PostgreSQL 10 on RDS High-availability Edition with Premium Local SSDs; An ApsaraDB RDS for PostgreSQL instance running PostgreSQL 9.4 on RDS High-availability Edition with Premium Local SSDs | Upgrade to enhanced whitelist mode for better security with network-type-specific whitelists | | Enable SQL Audit | Console > RDS > Instances > Data Security > SQL Audit | RDS instance must be running RDS High-availability Edition; Instance must be in a supported region (e.g., China (Hangzhou), Singapore, Malaysia (Kuala Lumpur)); Access to the RDS console with appropriate permissions | Enable and configure SQL Audit to track and log database operations for security and compliance | | Enable Disk Encryption | Console > RDS > Instances > Create Instance | An RDS instance being created — cloud disk encryption cannot be enabled after an instance is created; An instance created in standard mode; A key created based on the MariaDB version of the instance | Configure disk encryption for RDS instances during creation | | SSL Connection | Console > RDS > Instances > Connect to Instance | SSL encryption enabled on your RDS instance; CA certificate downloaded (either cloud or custom) | Connect to RDS instances over SSL for secure communication | | Always-Confidential Client Access | Console > RDS > Instances > Select Instance > Security & Configuration > Always Confidential Database | An ApsaraDB RDS for MySQL instance with Always Confidential Database feature enabled; Client application with support for TLS 1.2 or higher; Valid SSL certificate configured on the client side | Use CLI and DMS to query data in always-confidential databases | | Configure SQL Firewall | ApsaraDB for RDS console > PostgreSQL instances > Modify parameters | RDS instance runs PostgreSQL 10, 11, or 12; Access to the ApsaraDB for RDS console | Set up and manage the SQL firewall to control allowed SQL statements | | Enable Audit Logging | Console > RDS > Instances > Modify Parameters | An ApsaraDB RDS for PostgreSQL instance running PostgreSQL 10 or later with minor engine version 20210531 or later; For PostgreSQL 17, minor engine version 20241030 or later; The pgaudit extension added to the shared_preload_libraries parameter | Use the pgAudit extension to generate detailed audit logs for database activities | | Encrypt Sensitive Data | RDS Console > Instances > Select Instance > Database Management > SQL Console | An RDS instance running PostgreSQL 16; Instance minor engine version 20250228 or later | Encrypt sensitive columns using the rds_encdb extension or perform batch TDE encryption | | Restrict RAM Permissions | Console > RAM > Policies > Create Policy | Access to the RAM console; Knowledge of the target RAM user's username; Understanding of the desired permission restrictions | Limit RAM user permissions using RAM policies for enhanced security | | Confidential Database | RDS Instances > [Instance ID] > Parameters | An RDS for MySQL instance running MySQL 5.7 or MySQL 8.0 with minor engine version 20240731 or later; Java 1.8 or later installed | Enable and configure confidential database features for enhanced security | | Column Encryption | RDS Instances > [Instance ID] > Security > Column Encryption Rules | The major version of your ApsaraDB RDS for MySQL instance is MySQL 5.7 or 8.0, and its minor engine version is 20240731 or later; The always-confidential feature is enabled; You must use a privileged account to configure a data protection rule | Configure column-level encryption rules for sensitive data | | Transparent Data Encryption | Console > Database > RDS > [Instance] > Security > TDE | ApsaraDB RDS instance with MySQL 8.0, 5.7, or 5.6 engine version 20191015 or later; High-availability Edition or Cluster Edition; Key Management Service (KMS) activated; Authorization to allow ApsaraDB RDS to access KMS | Enable TDE for encrypting data at rest | | Disk Encryption | Console > RDS > Instances > [Instance ID] > Security > Data Encryption | The instance must use ESSD or Standard SSD storage type; The primary instance must not have attached read-only instances; ApsaraDB RDS must be authorized to access Key Management Service (KMS); For paid keys: KMS payments must be up to date | Enable disk-level encryption for RDS instances | | Sensitive Data Protection | Console > RDS > Instance Details > Security > Sensitive Data Protection | DMS service must be enabled; Database account and password for the target instance | Manage and protect sensitive data in RDS instances | | Security Best Practices | Console > RDS > Instances > Configure Security Settings | An existing ApsaraDB RDS instance; Access to the Alibaba Cloud console; Permissions to configure instance settings and RAM policies | Implement comprehensive security settings and best practices | | Enable Column Encryption | Data Security Center Console > Asset Center > Database Asset Management | Instance runs ApsaraDB RDS for PostgreSQL 16 with minor engine version 20250228 or later; Instance is in a supported region | Enable column-level encryption for sensitive data | | JDBC Column Encryption Driver | Console > RDS > Instances > Select Instance > Data Encryption > Column Encryption | Column encryption enabled on the RDS instance; Connection details: endpoint, port, database name, username, password; Ciphertext permission (JDBC decryption) granted to the account; JDK 1.8 or later | Use JDBC driver to decrypt encrypted columns | ## Step-by-Step Instructions ### Manage Identity-Based Access **Navigation**: Console > RDS > Security > Identity-based Policies **Prerequisites**: - User must have an Alibaba Cloud account - User must be assigned a role with administrative privileges 1. Navigate to the Identity-based Policies page - Element: **Identity-based Policies** (link) — left navigation panel - Notes: 2. Click the Create Policy button to create a new policy - Element: **Create Policy** (button) — top-right corner - Notes: The policy creation wizard will open after clicking this button. 3. Select the type of policy to create - Element: **Policy Type** (dropdown) — main content area - Notes: Options include Custom Policy and Predefined Policy. 4. Define the permissions for the policy - Element: **Permissions** (text_input) — main content area - Notes: Use the policy editor to specify allowed actions and resources. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Policy Name | text | Yes | — | A unique name for the identity-based policy. | | Description | text | No | — | Optional description to explain the purpose of the policy. | | Policy Type | dropdown | Yes | Custom Policy, Predefined Policy | Choose whether to create a custom policy or use a predefined one. | ### Network Access Configuration **Navigation**: Console > ApsaraDB RDS > Instances > Network Management **Prerequisites**: - An RDS instance already created - VPC and subnet configured if using VPC network 1. Click on the target RDS instance in the instance list - Element: **Instance ID** (link) — main content area - Notes: 2. Navigate to the Network Management tab - Element: **Network Management** (tab) — top navigation panel - Notes: 3. Modify the network type from private to public or vice versa - Element: **Change Network Type** (button) — main content area - Notes: Only available if the instance is currently in a private network 4. Select a security group for the instance - Element: **Security Group** (dropdown) — form field section - Notes: Can be a new or existing security group; must be in the same region as the instance 5. Click Save to apply changes - Element: **Save** (button) — bottom of form - Notes: Changes may take up to 5 minutes to take effect | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Network Type | radio | Yes | Private Network, Public Network | Determines whether the instance can be accessed over the internet | | Security Group | dropdown | No | — | Controls inbound and outbound traffic to the instance | ### Security Group Configuration **Navigation**: Console > RDS > Instances > Select Instance > Security Management **Prerequisites**: - An RDS instance must be created and running - User must have sufficient permissions to modify security settings 1. Navigate to the RDS console and select the target instance - Element: **Instances** (link) — left navigation panel - Notes: 2. Click on the 'Security Management' tab for the selected instance - Element: **Security Management** (tab) — main content area - Notes: 3. Configure inbound rules for the security group - Element: **Add Rule** (button) — top-right corner - Notes: Select protocol type (e.g., MySQL, PostgreSQL), specify port range, and define source IP or CIDR block 4. Save the updated security group rules - Element: **Confirm** (button) — bottom of the form - Notes: Changes take effect immediately after confirmation | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Protocol Type | dropdown | Yes | MySQL, PostgreSQL, SQL Server, Oracle, Custom TCP | Specifies the database protocol to allow through the security group | | Port Range | text_input | Yes | — | The port number or range used by the database service | | Source IP/CIDR | text_input | Yes | — | The IP address or CIDR block allowed to connect to the database | | Rule Description | text_input | No | — | Optional description for identifying the rule purpose | ### Switch Whitelist Mode **Navigation**: Console > RDS > Instances > Switch Whitelist Mode **Prerequisites**: - An ApsaraDB RDS for MariaDB TX instance must exist - The instance must be in a VPC or classic network - You must have sufficient permissions to modify instance settings 1. Navigate to the RDS console and select the target instance - Element: **Instances** (menu) — left navigation panel - Notes: 2. Click on the instance name to open its details page - Element: **Instance ID or Instance Name** (link) — main content area - Notes: 3. Go to the Security Settings tab - Element: **Security Settings** (tab) — top of instance details - Notes: 4. Click the 'Switch to Enhanced Whitelist Mode' button - Element: **Switch to Enhanced Whitelist Mode** (button) — Security Settings section - Notes: Note: This feature is currently unavailable due to a network link upgrade. You will be notified when it becomes available. ### Bulk Configure Whitelist **Navigation**: Console > ApsaraDB RDS > Instances > Whitelist Template **Prerequisites**: - The RDS for MariaDB instance must have a public endpoint 1. Log on to the ApsaraDB RDS console - Element: **ApsaraDB RDS console** (link) — top navigation bar - Notes: 2. Click Whitelist Template in the left-side navigation pane - Element: **Whitelist Template** (menu) — left-side navigation panel - Notes: 3. Create a new template by clicking Create Whitelist Template - Element: **Create Whitelist Template** (button) — main content area - Notes: Template names must be unique within the same account. 4. Enter a template name and IP addresses, then click OK - Element: **OK** (button) — bottom of the panel - Notes: Setting the whitelist to 0.0.0.0/0 allows access from any IP address on the internet. Use this setting with caution. 5. Modify an existing template by clicking Modify - Element: **Modify** (button) — Operation column - Notes: You cannot change the name of a whitelist template after it is created. 6. Select instances to associate with the template using the shuttle interface - Element: **Move to right list icon** (icon) — shuttle panel - Notes: You can associate a maximum of 20 instances at a time. 7. Edit IP addresses in the whitelist - Element: **Whitelist** (text_input) — configuration panel - Notes: Modifications apply immediately to all associated instances. 8. Delete a template by clicking Delete in the Operation column - Element: **Delete** (button) — Operation column - Notes: Deleting a template removes the corresponding whitelist group from all associated instances. 9. Go to the target instance's detail page and navigate to the Whitelist Template tab - Element: **Whitelist Template** (tab) — left-side navigation pane - Notes: 10. Associate a template by clicking Connect Template - Element: **Connect Template** (button) — main content area - Notes: After association, the template's whitelist group appears in the list. 11. Disassociate a template by clicking Cancel Template - Element: **Cancel Template** (button) — right of the whitelist group - Notes: | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Template Name | text | Yes | — | Unique name for the whitelist template within the account | | IP Addresses | text | Yes | — | Specific IP addresses or CIDR blocks to allow access | ### SSL Encryption **Navigation**: Console > RDS > Instances > Select Instance > Security Settings > SSL Encryption **Prerequisites**: - An ApsaraDB RDS instance is created and running - The instance has network access enabled 1. Navigate to the RDS console and select the target instance - Element: **Instances** (link) — left navigation panel - Notes: 2. Click on the instance name to open its details page - Element: **Instance Name** (link) — instance list - Notes: 3. Go to the Security Settings tab - Element: **Security Settings** (tab) — top navigation bar - Notes: 4. Enable SSL encryption by toggling the switch - Element: **SSL Encryption** (toggle) — SSL Encryption section - Notes: The toggle will turn green when enabled. After enabling, a certificate is automatically generated. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | SSL Encryption | toggle | No | — | Enables or disables SSL encryption for the database connection. | ### Enable SQL Audit **Navigation**: Console > RDS > Instances > Data Security > SQL Audit **Prerequisites**: - RDS instance must be running RDS High-availability Edition - Instance must be in a supported region (e.g., China (Hangzhou), Singapore, Malaysia (Kuala Lumpur)) - Access to the RDS console with appropriate permissions 1. Click on the Data Security section in the left-side navigation pane - Element: **Data Security** (menu) — left-side navigation panel - Notes: 2. Click the SQL Audit tab in the Data Security section - Element: **SQL Audit** (tab) — main content area - Notes: 3. In the SQL insight and audit dialog box, click One click upgrade to enable the SQL Explorer and Audit feature - Element: **One click upgrade** (button) — dialog box - Notes: After enabling, the SQL Audit feature becomes unavailable and users are redirected to the SQL Explorer and Audit page. 4. To enable the legacy SQL Audit feature instead, click Cancel in the dialog box and then click Enable now - Element: **Enable now** (button) — dialog box - Notes: A screenshot titled 'SQL' is shown after this step. 5. Confirm the action by clicking OK in the confirmation message - Element: **OK** (button) — message dialog - Notes: 6. To disable the SQL Audit feature, click Cancel in the dialog box and then click Disable SQL Audit - Element: **Disable SQL Audit** (button) — dialog box - Notes: A screenshot titled 'SQL' is shown after this step. Note: Disabling deletes all historical logs. 7. Confirm the disable action by clicking OK in the confirmation message - Element: **OK** (button) — message dialog - Notes: If CloudLens for RDS is enabled, it must also be disabled to fully turn off auditing. ### Enable Disk Encryption **Navigation**: Console > RDS > Instances > Create Instance **Prerequisites**: - An RDS instance being created — cloud disk encryption cannot be enabled after an instance is created - An instance created in standard mode - A key created based on the MariaDB version of the instance 1. Select the Storage Type parameter and choose Disk Encryption - Element: **Storage Type** (dropdown) — main content area - Notes: 2. Configure the Key parameter - Element: **Key** (dropdown) — main content area - Notes: 3. Go to the Instances page and select the region where the instance resides - Element: **Instances** (link) — top navigation bar - Notes: 4. Click the instance ID to open its details - Element: **instance ID** (link) — table of instances - Notes: 5. Check the Basic Information section for the AccessKey Pair parameter - Element: **Basic Information** (tab) — left navigation panel - Notes: If AccessKey Pair appears, encryption is enabled. Screenshot shows this field present. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Storage Type | dropdown | Yes | Standard, Disk Encryption | Specifies the storage type for the instance. Selecting Disk Encryption enables cloud disk encryption at block level. | | Key | dropdown | Yes | Default Service CMK, Customer Master Key (CMK) | Selects the encryption key used for disk encryption. The available options depend on MariaDB version and instance type. | ### Configure SQL Firewall **Navigation**: ApsaraDB for RDS console > PostgreSQL instances > Modify parameters **Prerequisites**: - RDS instance runs PostgreSQL 10, 11, or 12 - Access to the ApsaraDB for RDS console 1. Set the sql_firewall.firewall parameter to learning - Element: **sql_firewall.firewall** (dropdown) — Parameters section in the console - Notes: 2. Restart the RDS instance - Element: **Restart Instance** (button) — Instance details page - Notes: Required after changing parameter values 3. Set the sql_firewall.firewall parameter to permissive - Element: **sql_firewall.firewall** (dropdown) — Parameters section in the console - Notes: 4. Restart the RDS instance - Element: **Restart Instance** (button) — Instance details page - Notes: Required after changing parameter values 5. Set the sql_firewall.firewall parameter to enforcing - Element: **sql_firewall.firewall** (dropdown) — Parameters section in the console - Notes: 6. Restart the RDS instance - Element: **Restart Instance** (button) — Instance details page - Notes: Required after changing parameter values | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | sql_firewall.firewall | dropdown | No | disable, learning, permissive, enforcing | Controls the operating mode of the SQL firewall extension | | shared_preload_libraries | text | No | — | List of shared libraries loaded at startup; must include sql_firewall during activation | ### Enable Audit Logging **Navigation**: Console > RDS > Instances > Modify Parameters **Prerequisites**: - An ApsaraDB RDS for PostgreSQL instance running PostgreSQL 10 or later with minor engine version 20210531 or later - For PostgreSQL 17, minor engine version 20241030 or later - The pgaudit extension added to the shared_preload_libraries parameter 1. Navigate to the RDS console and select your PostgreSQL instance - Element: **Instances** (link) — left navigation panel - Notes: 2. Click on the instance to open its details page - Element: **Instance ID or name** (link) — main content area - Notes: 3. Go to the Parameters tab and modify the pgaudit.log parameter - Element: **Parameters** (tab) — top navigation - Notes: 4. Set the pgaudit.log parameter to a comma-separated list of statement classes (e.g., write, ddl) - Element: **pagaudit.log** (text_input) — parameter list - Notes: Requires superuser privileges; cannot be set via SQL SET statement 5. Set the pgaudit.role parameter to the name of the designated audit role (e.g., auditor) - Element: **pgaudit.role** (text_input) — parameter list - Notes: Requires superuser privileges; cannot be set via SQL SET statement 6. Save the changes - Element: **Save** (button) — bottom of the form - Notes: | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | pgaudit.log | text | No | READ, WRITE, FUNCTION, ROLE, DDL, MISC, MISC_SET, ALL, NONE | Specifies the statement classes to log. Use a comma-separated list. | | pgaudit.role | text | No | — | Master role for object audit logging. Multiple audit roles can be defined by granting them to the master role. | | pgaudit.log_catalog | checkbox | No | on, off | Logs statements where all relations in the statement are in the pg_catalog schema. Disabling reduces noise from queries against the catalog. | | pgaudit.log_parameter | checkbox | No | on, off | Includes the parameters passed with the statement in the audit log. | | pgaudit.log_rows | checkbox | No | on, off | Includes the number of rows retrieved or affected by a statement in the audit log. | ### Encrypt Sensitive Data **Navigation**: RDS Console > Instances > Select Instance > Database Management > SQL Console **Prerequisites**: - An RDS instance running PostgreSQL 16 - Instance minor engine version 20250228 or later 1. Configure instance parameters - Element: **Running Parameter Value** (dropdown) — Instance Configuration section - Notes: Set rds_encdb.enable_encryption to 'on' 2. Connect to the database using a privileged account - Element: **SQL Console** (tab) — Database Management area - Notes: Use a superuser or admin account to run SQL statements 3. Run the CREATE EXTENSION statement - Element: **Run** (button) — Bottom of the SQL editor - Notes: Execute: CREATE EXTENSION rds_encdb; 4. Insert encryption rules into the metadata table - Element: **Run** (button) — Bottom of the SQL editor - Notes: Use INSERT INTO rds_encdb.encryption_rule with column ordinal numbers 5. Grant full access to an account with expiration - Element: **Run** (button) — Bottom of the SQL editor - Notes: Execute: SELECT rds_encdb.setup_encryption_role('test_user', 'FULL ACCESS', '2025-04-17 16:01:02.509447+00'); ### Restrict RAM Permissions **Navigation**: Console > RAM > Policies > Create Policy **Prerequisites**: - Access to the RAM console - Knowledge of the target RAM user's username - Understanding of the desired permission restrictions 1. Log on to the RAM console - Element: **RAM console** (link) — top navigation panel - Notes: 2. Click the Create Policy button on the Policies page - Element: **Create Policy** (button) — top-right corner - Notes: 3. Switch to the Code tab and enter the policy document in the code editor - Element: **Code** (tab) — main content area - Notes: The policy document can be found in the 'Code' column of the ApsaraDB RDS policy reference table. 4. Enter a name and description for the policy, confirm the content, and click OK - Element: **OK** (button) — bottom of dialog box - Notes: Policy name must be 1–128 characters long and contain only letters, digits, and hyphens. 5. Navigate to the Permissions section and create a new permission - Element: **Permissions** (menu) — left-side navigation pane - Notes: 6. Select the scope of the permission (Alibaba Cloud Account or Resource Group) - Element: **Scope** (dropdown) — in the permission creation dialog - Notes: Resource Group requires service support for resource groups. 7. Select the RAM user to authorize - Element: **Principal** (text_input) — in the permission creation dialog - Notes: Enter the RAM username in the search box to find the target user. 8. Select Custom policy type - Element: **Custom** (radio) — in the policy list section - Notes: 9. Find and select the created policy from the list - Element: **OK** (button) — in the policy selection dialog - Notes: Use the search box to locate the policy by name. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Policy Name | text | Yes | — | A unique name for the policy (1–128 characters, letters, digits, and hyphens only). | | Description | text | No | — | Optional description of the policy's purpose. | | Scope | dropdown | Yes | Alibaba Cloud Account, Resource Group | Defines the scope of the permissions granted by the policy. | | Principal | text_input | Yes | — | The RAM user to whom the policy is applied. | ### Confidential Database **Navigation**: RDS Instances > [Instance ID] > Parameters **Prerequisites**: - An RDS for MySQL instance running MySQL 5.7 or MySQL 8.0 with minor engine version 20240731 or later - Java 1.8 or later installed 1. Go to the RDS Instances page and select the region where your instance resides, then click the instance ID. - Element: **RDS Instances** (link) — top navigation bar - Notes: 2. In the left navigation pane, click Parameters, then go to the Modifiable Parameters tab. - Element: **Parameters** (menu) — left navigation panel - Notes: 3. Search for loose_encdb and set its value to ON. - Element: **loose_encdb** (text_input) — parameter list - Notes: 4. Click Apply Changes, select an effective period, and then click OK. - Element: **Apply Changes** (button) — top of the parameter table - Notes: Enabling the feature restarts the instance. Perform during off-peak hours. ### Column Encryption **Navigation**: RDS Instances > [Instance ID] > Security > Column Encryption Rules **Prerequisites**: - The major version of your ApsaraDB RDS for MySQL instance is MySQL 5.7 or 8.0, and its minor engine version is 20240731 or later. - The always-confidential feature is enabled. - You must use a privileged account to configure a data protection rule. 1. Go to the RDS Instances page and select a region. Click the ID of the target instance. - Element: **RDS Instances** (link) — top navigation bar - Notes: 2. In the left-side navigation pane, click the Security tab. - Element: **Security** (menu) — left navigation panel - Notes: 3. Click the Column Encryption Rules tab to configure role permissions and column encryption rules. - Element: **Column Encryption Rules** (tab) — main content area - Notes: 4. Click the Role Permissions tab, find the role to manage, and click Configure Account to edit permissions. - Element: **Role Permissions** (tab) — main content area - Notes: 5. On the Configure Account page, set the expiration time (for Super administrator only) and select database accounts or enter account names manually. - Element: **Configure Account** (button) — main content area - Notes: Permissions are additive. To revoke access, reassign the user to the Other administrators role. 6. Click the Column Encryption Rules tab, then click Add to create a new rule or Modify to edit an existing one. - Element: **Column Encryption Rules** (tab) — main content area - Notes: 7. In the dialog box, enter a rule name (up to 30 characters), specify the scope of databases, tables, and columns to encrypt, and click OK. - Element: **Add** (button) — main content area - Notes: The rule name cannot be changed after creation. 8. To delete a rule, find it in the list and click Delete in the Actions column. - Element: **Delete** (button) — Actions column - Notes: | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Expire Time | date | Yes | — | Available only for the Super administrator role. When the expiration date is reached, the account's permissions automatically revert to the default Other administrators role. | | Related Accounts | dropdown | No | — | Select one or more existing database accounts from the drop-down list. | | Account Name | text | No | — | Manually enter one or more database account names, separated by a comma (,). | | Rule Name | text | Yes | — | The name of the encryption rule. The name can be up to 30 characters in length. The name cannot be changed after the rule is created. | | Databases | dropdown | No | All databases, Include | The databases to which the rule applies. Can be all databases or specific ones entered as a comma-separated list. | | Tables | dropdown | No | All data tables, Include | The tables to which the rule applies. Can be all tables within the specified scope or specific ones entered as a comma-separated list. | | Columns | dropdown | No | All data columns, Include | The columns to which the rule applies. Can be all columns within the specified scope or specific ones entered as a comma-separated list. | ### Transparent Data Encryption **Navigation**: Console > Database > RDS > [Instance] > Security > TDE **Prerequisites**: - ApsaraDB RDS instance with MySQL 8.0, 5.7, or 5.6 engine version 20191015 or later - High-availability Edition or Cluster Edition - Key Management Service (KMS) activated - Authorization to allow ApsaraDB RDS to access KMS 1. Click the Security tab in the left-side navigation pane - Element: **Security** (menu) — left-side navigation pane - Notes: 2. Click the TDE tab - Element: **TDE** (tab) — top navigation panel - Notes: 3. Turn on the TDE Status switch - Element: **TDE Status** (toggle) — TDE section - Notes: 4. Select a key type: either use a service key from KMS or select an existing CMK - Element: **KMS Key** (radio) — TDE section - Notes: Only symmetric keys are supported. If no key is available, click 'Go to create keys' to navigate to the KMS console. 5. Click OK to enable TDE - Element: **OK** (button) — bottom of the dialog - Notes: ### Disk Encryption **Navigation**: Console > RDS > Instances > [Instance ID] > Security > Data Encryption **Prerequisites**: - The instance must use ESSD or Standard SSD storage type - The primary instance must not have attached read-only instances - ApsaraDB RDS must be authorized to access Key Management Service (KMS) - For paid keys: KMS payments must be up to date 1. Go to the Instances page and select the region - Element: **Instances** (link) — top navigation bar - Notes: 2. Click the instance ID to open its details page - Element: **[Instance ID]** (link) — main content area - Notes: 3. Click the Security tab in the left-side navigation pane - Element: **Security** (tab) — left-side navigation panel - Notes: 4. Click the Enable Disk Encryption button on the Data Encryption tab - Element: **Enable Disk Encryption** (button) — main content area - Notes: 5. Select a key from the dropdown list and click OK - Element: **OK** (button) — dialog box - Notes: For default service key: select 'Default Service CMK'. For user-created keys: select from the list or create a new one via 'Create Key' link. 6. Wait for the instance status to return to Running and verify encryption information appears - Element: **Running** (button) — instance status display - Notes: Encryption information confirms successful enablement. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Encryption Key | dropdown | Yes | Default Service CMK, Customer Master Key (CMK), Software-protected key, Hardware-protected key | Select the KMS key to use for disk encryption. Default service key is free; others may incur charges. | ### Sensitive Data Protection **Navigation**: Console > RDS > Instance Details > Security > Sensitive Data Protection **Prerequisites**: - DMS service must be enabled - Database account and password for the target instance 1. Click on the Security section in the left navigation pane - Element: **Security** (menu) — left navigation panel - Notes: 2. Click the Sensitive Data Protection tab - Element: **Sensitive Data Protection** (tab) — main content area - Notes: If the Enable with One Click button is not displayed, the DMS service is not enabled. 3. Click Enable with One Click if available - Element: **Enable with One Click** (button) — main content area - Notes: If the button is not visible, click 'Log on to Database' in the upper-right corner and refresh the page. 4. Review billing details and click Enable in the Enable Sensitive Data Protection window - Element: **Enable** (button) — center of the modal dialog - Notes: 5. After page refresh, click Account Authorization - Element: **Account Authorization** (button) — main content area - Notes: 6. Enter the database account and password, then click Authorize - Element: **Authorize** (button) — Authorization page - Notes: The database account and password are required for the target RDS instance. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Database Account | text_input | Yes | — | The username for the database instance used to connect and authorize access. | | Database Password | text_input | Yes | — | The password for the database account used to connect and authorize access. | ### Security Best Practices **Navigation**: Console > RDS > Instances > Configure Security Settings **Prerequisites**: - An existing ApsaraDB RDS instance - Access to the Alibaba Cloud console - Permissions to configure instance settings and RAM policies 1. Select RDS Enterprise Edition when creating a new instance - Element: **RDS Enterprise Edition** (radio) — Instance Type selection panel - Notes: 2. Enable multi-zone deployment during instance creation - Element: **Multi-zone deployment** (checkbox) — Deployment Options section - Notes: 3. Configure cross-region disaster recovery using DTS - Element: **Create Disaster Recovery Instance** (button) — Actions menu - Notes: Requires a secondary region with DTS support 4. Enable cross-region backup feature - Element: **Cross-region Backup** (toggle) — Backup Settings tab - Notes: Backup files are stored in OSS in a different region 5. Assign RAM users with least-privilege permissions - Element: **Use RAM for resource authorization** (link) — Security section - Notes: Follow the principle of least privilege 6. Set up IP address whitelist for the instance - Element: **Add IP Address** (button) — Security Settings tab - Notes: Only listed IPs can connect to the instance 7. Enable SSL encryption and install CA certificate - Element: **Configure SSL Encryption** (button) — Connection Settings - Notes: Required for secure Internet connections 8. Enable Transparent Data Encryption (TDE) - Element: **Enable TDE** (toggle) — Encryption Settings - Notes: No application changes required | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Instance Type | dropdown | Yes | Basic Edition, High-availability Edition, Enterprise Edition | Selects the edition of the RDS instance based on reliability and performance needs | | Deployment Mode | dropdown | Yes | Single Zone, Multi-zone | Determines whether the instance spans multiple availability zones for higher availability | | Cross-region Backup | toggle | No | — | Enables automatic replication of backup files to another region | | Disk Encryption | toggle | No | — | Encrypts the entire data disk at rest; enabled by default for cloud disks | ### Enable Column Encryption **Navigation**: Data Security Center Console > Asset Center > Database Asset Management **Prerequisites**: - Instance runs ApsaraDB RDS for PostgreSQL 16 with minor engine version 20250228 or later - Instance is in a supported region 1. Log on to the Data Security Center console - Element: **Log on to the Data Security Center console** (link) — top navigation bar - Notes: 2. Grant DSC access to cloud resources - Element: **In the RAM Authorize dialog box, click Immediately Authorize** (button) — center of the screen - Notes: If the dialog box does not appear, access has already been granted. 3. Authorize database assets - Element: **Asset Center** (menu) — left-side navigation pane - Notes: 4. Click Authorization Management on the Asset Center tab - Element: **Authorization Management** (button) — top of the Asset Center tab - Notes: 5. Select the data asset type and click Synchronize Assets - Element: **Synchronize Assets** (button) — left product navigation pane - Notes: After purchase, an automatic sync runs. Manual sync needed daily at midnight or after new assets are added. 6. Click Authorize in the Actions column of the target asset - Element: **Authorize** (button) — Actions column - Notes: 7. Connect to the database and run identification task - Element: **Account** (button) — Actions column of the target asset instance - Notes: 8. Click Add Credential in the Account panel - Element: **Add Credential** (button) — Actions column of the target database - Notes: 9. Configure credential details and click OK - Element: **OK** (button) — bottom of the Add Credential dialog box - Notes: If no credential exists, create one by filling in name, username, password, and type. 10. Enable column encryption - Element: **One-click Configure** (button) — above the database instance list - Notes: Only available if the check status shows 'Pass'. 11. Select database, table, and columns to encrypt - Element: **OK** (button) — bottom of the Configuration panel - Notes: Choose AES-256-GCM algorithm and local encryption method. 12. Modify column scope by enabling/disabling encryption for specific columns - Element: **Open** (button) — next to the target column - Notes: 13. Modify account permissions - Element: **Access Setting** (tab) — top of the page - Notes: 14. Click Modify Permissions in the Actions column of the target account - Element: **Modify Permissions** (button) — Actions column - Notes: | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Credential Name | text | Yes | — | The name of the database credential used for connection. | | Username | text | Yes | — | The database user account for authentication. | | Password | password | Yes | — | The password for the database user account. | | Type | dropdown | Yes | PostgreSQL, MySQL, Oracle | The type of database being connected. | ## Frequently Asked Questions Q: Where can I find the SSL encryption settings for my RDS instance? A: Navigate to Console > RDS > Instances > Select Instance > Security Settings > SSL Encryption. The SSL toggle switch is located in the SSL Encryption section. Q: What happens if I leave the IP whitelist empty or set it to 0.0.0.0/0? A: An empty whitelist blocks all connections. Setting it to 0.0.0.0/0 allows access from any IP address on the internet, which poses significant security risks and is not recommended for production environments. Q: Can I modify the whitelist mode after creating an RDS instance? A: Yes, you can switch from standard whitelist mode to enhanced whitelist mode through the console, but this operation is irreversible. Enhanced whitelist mode separates IP address whitelists by network type (VPC or classic network). Q: What permissions do I need to configure security settings for RDS instances? A: You need sufficient RAM permissions to modify instance security settings. For advanced configurations like identity-based policies, you must be assigned a role with administrative privileges. Q: How do I verify that disk encryption is enabled on my RDS instance? A: After enabling disk encryption during instance creation, check the Basic Information section of your instance details page. If the AccessKey Pair parameter appears, encryption is enabled. ## Pricing & Billing ### Billing Model Identity-based policies are free to create and manage. SSL encryption is provided at no additional cost. Disk encryption feature is free of charge. The SQL Audit feature is charged per hour based on usage. ### Price Reference | Region/Tier | Price | |-------------|-------| | China (Hong Kong), Singapore | 0.0122/(GB*hour) | | Other regions (China) | 0.008/(GB*hour) | | US (Silicon Valley), US (Virginia) | USD 0.15 per GB per hour | | Singapore, Japan (Tokyo), Germany (Frankfurt), UAE (Dubai), Australia (Sydney), Malaysia (Kuala Lumpur), India (Mumbai) Closing Down, Indonesia (Jakarta), UK (London) | USD 0.18 per GB per hour | | All other regions | USD 0.12 per GB per hour | ### Free Tier Identity-based policies are free to create and manage. SSL encryption is provided at no additional cost. Disk encryption feature is free of charge. This feature is free of charge. ### Billing Notes No charges apply for creating or managing identity-based policies in ApsaraDB RDS. SSL encryption is included in all RDS instance types and does not incur extra charges. The SQL Audit feature is charged per hour based on usage. After upgrading to SQL Explorer and Audit, billing switches to DAS Enterprise Edition. Auto-renewal is enabled by default when enabling the feature. Disabling the feature deletes all historical audit logs and prevents export.