All Products
Search
Document Center

Data Security Center:Authorize DSC to access databases

Last Updated:Dec 13, 2024

After you purchase Data Security Center (DSC), you must authorize DSC to access Alibaba Cloud services such as ApsaraDB RDS and PolarDB before you use DSC to detect sensitive data or audit database activities in Alibaba Cloud services.

Supported databases

DSC can provide data security capabilities only for database assets on Alibaba Cloud. For more information, see Supported data asset types.

This topic describes how to authorize DSC to access ApsaraDB RDS and connect DSC to databases on ApsaraDB RDS instances. You can refer to this topic for the following types of databases: ApsaraDB RDS, PolarDB, PolarDB for Xscale (PolarDB-X), PolarDB-X 2.0, ApsaraDB for Redis, ApsaraDB for MongoDB, ApsaraDB for OceanBase, Tablestore, AnalyticDB for MySQL, and AnalyticDB for PostgreSQL. For more information about the other types of databases, see the following topics:

Prerequisites

Step 1: Authorize DSC to access ApsaraDB RDS

  1. Log on to the DSC console.

  2. In the left-side navigation pane, click Asset Center.

  3. On the Authorization Management tab, click Asset Authorization Management.

  4. In the left-side pane of the Asset Authorization Management panel, click RDS.

  5. Optional. In the Asset Authorization Management panel, click Asset synchronization.

    The first time you log on to DSC, DSC automatically synchronizes assets in the cloud. DSC scans for new assets at 00:00 every day and automatically synchronizes the new assets to unauthorized asset lists. If you want to authorize DSC to access the assets that are created on the current day, you must manually synchronize the assets.

  6. Find the required asset and click Authorization in the Actions column.

    If you want to authorize DSC to access multiple assets, select the assets and click Batch Authorize.

Step 2: Connect DSC to a database

Database connection mode

DSC collects and analyzes data stored in databases and database activities to provide data classification, data audit, security posture monitoring, and data masking capabilities. To provide these capabilities, DSC must connect to databases. DSC supports one-click connection and account-based connection modes.

Connection mode

Description

Supported asset type

One-click connection

On the Authorization Management tab, click Connect.

If you click Connect for a database on the Authorization Management tab, DSC creates a read-only account for the database and uses the read-only account to connect to the database to run data identification tasks. You cannot store de-identified data in the database.

ApsaraDB RDS, PolarDB, PolarDB-X (formerly known as DRDS), ApsaraDB for Redis, Object Storage Service (OSS), Tablestore, and MaxCompute

Account-based connection

Enter an account including the username and password.

  • If you use a read-only account to connect to a database, you can perform sensitive data identification, data masking, and audit tasks on the database. You cannot store de-identified data in the database.

  • If you use an account that has read and write permissions to connect to a database, you can store de-identified data in the database.

  • Structured data:

    ApsaraDB RDS, PolarDB, PolarDB-X, PolarDB-X 2.0, ApsaraDB for MongoDB, ApsaraDB for OceanBase, and self-managed databases

  • Big data:

    AnalyticDB for MySQL and AnalyticDB for PostgreSQL

You can select a connection mode based on the preceding table and data security requirements.

  • If a database supports one-click connection and you do not need to use the database as the destination database of a data masking task, we recommend that you use the one-click connection mode.

  • If you want to use a database as the destination database of a data masking task, use the account-based connection mode and use an account that has read and write permissions to connect to the database.

The following section uses an ApsaraDB RDS instance as an example to describe the one-click connection and account-based connection modes.

One-click connection

After you connect DSC to a database by using the one-click connection mode, DSC creates and immediately runs a default data identification task. The task reads data from the database, which degrades the read performance of the database. We recommend that you perform one-click connection operations during off-peak hours.

  1. Go to the Authorization Management tab, find the required asset that you want to manage, and then click Connect in the Actions column.

    • The first time you connect to a database on an instance, DSC creates a whitelist named ali_sddp_group for the instance. This allows DSC to obtain information about the databases on the instance. The whitelist contains IP addresses that are used by DSC. The IP addresses vary based on the region.

      image

    • DSC creates a read-only account for the database on the instance. The account prefix is sddp_auto.

  2. Click the 展开图标 icon next to the instance to view the connection status and feature status of the database.

    image

Account-based connection

We recommend that you use an independent database account based on the principle of least privilege. Do not use a business account or an account that has the highest permissions.

  1. Go the Authorization Management tab, find the instance that you want to manage, and then click Account Logon in the Actions column.

  2. In the Account Logon panel, find the database that you want to connect and click Add Credential in the Actions column.

  3. In the Add Credential dialog box, select or clear Scan assets and identify sensitive data now., and click OK.

    • For more information about credential management, see Credential management.

    • If you connect DSC to a database during off-peak hours, you can select the Immediately scan database assets and identify data check box. Otherwise, clear the check box. If you clear the check box, DSC creates a default data identification task and runs the task at 00:00 the next day.

    The first time you connect to a database on an instance, DSC creates a whitelist named ali_sddp_group for the instance. This allows DSC to obtain information about the databases on the instance. The whitelist contains IP addresses that are used by DSC. The IP addresses vary based on the region.

    image

  4. Click the 展开图标 icon next to the instance to view the connection status and feature status of the database.

    image

What to do next

After you connect DSC to a database, DSC automatically creates a default data identification task.

  • If you click Connect on the Authorization Management page and select Immediately scan database assets and identify data., DSC immediately runs the default data identification task.

  • If you click Connect on the Authorization Management page and clear Immediately scan database assets and identify data., you must manually execute the default data identification task. To execute the task, choose Data Insights > Tasks. On the Identification Tasks tab, click Default Tasks, find the task, and then click Rescan.

    Note

    Only DSC Enterprise Edition supports the rescan operation. DSC Basic Edition does not support the rescan operation.

The system automatically uses the main identification template and the common identification template to scan the connected assets. By default, the main identification template is the Internet industry classification template. You can check the status of a data identification task to view the completion time of the data identification task.

  1. View the completion time of the default data identification task. For more information, see View default identification task.

  2. View data identification results. For more information, see View sensitive data identification results.

References