The BestPracticesForPolarDB compliance package checks whether each PolarDB cluster uses a stable kernel version and is appropriately configured, and whether risks exist for items such as backup settings, Internet access and whitelist settings, instance renewal and expiration, and change management. This helps you use PolarDB clusters in a proper manner and ensures the stability and security of your PolarDB clusters. This topic describes the default rules that are provided in the BestPracticesForPolarDB compliance package.
Rule name | Rule description |
If the kernel version of each PolarDB cluster is not included in the version list specified by the parameter, the evaluation result is considered compliant. By default, the parameter specifies a list of kernel versions with potential stability risks. This rule applies only to PolarDB clusters that use the MySQL database engine. | |
If you use subscription PolarDB clusters, you must renew the clusters before they expire. This prevents your instances from being stopped due to expired resources. If the duration between the expiration date and the check date of each PolarDB cluster is greater than the specified number of days, the evaluation result is Compliant. Default period: 30 days. If the auto-renewal feature is enabled for each subscription PolarDB cluster, the evaluation result is considered compliant. This rule does not apply to pay-as-you-go PolarDB clusters. | |
If the SQL Explorer and Audit feature is enabled for each PolarDB cluster, the evaluation result is considered compliant. | |
If the edition of each PolarDB cluster is Cluster Edition or Multi-master Cluster Edition, the evaluation result is considered compliant. Proceed with caution when you use Single Node Edition. This edition provides slow failovers. | |
If the maintenance period of each PolarDB cluster matches one of the specified time ranges, the evaluation result is considered compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected. | |
If the deletion protection feature is enabled for each PolarDB cluster, the evaluation result is considered compliant. This rule does not apply to subscription PolarDB clusters. | |
If Internet access is enabled for a PolarDB cluster but traffic is allowed from any IP addresses, the evaluation result is considered non-compliant. | |
If the retention period of the level-2 backups of each PolarDB cluster is no less than the specified number of days, the evaluation result is considered compliant. Default period: 30 days. If the level-2 backup feature is disabled for a PolarDB cluster or the backup retention period is less than the specified number of days, the evaluation result is considered non-compliant. | |
If the retention period for the level-1 backups of each PolarDB cluster is no less than the specified number of days, the evaluation result is considered compliant. Default period: 30 days. If the log backup feature is disabled for a PolarDB cluster or the backup retention period is less than the specified number of days, the evaluation result is considered non-compliant. | |
If the default_time_zone parameter of each PolarDB cluster is not set to SYSTEM, the evaluation result is considered compliant. We recommend that you specify a valid time zone for each PolarDB cluster. |