After you purchase Data Security Center (DSC), you must authorize DSC to access Alibaba Cloud services such as ApsaraDB RDS and PolarDB before you use DSC to detect sensitive data or audit database activities in Alibaba Cloud services.
Supported databases
DSC can provide data security capabilities only for database assets on Alibaba Cloud. For more information, see Supported database types.
This topic describes how to authorize DSC to access ApsaraDB RDS and connect DSC to databases on ApsaraDB RDS instances. You can refer to this topic for the following types of databases: ApsaraDB RDS, PolarDB, PolarDB for Xscale (PolarDB-X), PolarDB-X 2.0, ApsaraDB for Redis, ApsaraDB for MongoDB, ApsaraDB for OceanBase, Tablestore, AnalyticDB for MySQL, and AnalyticDB for PostgreSQL. For more information about the other types of databases, see the following topics:
Prerequisites
The free edition of DSC is activated or a paid edition of DSC is purchased. For more information, see Activate the free edition of DSC or Purchase DSC.
DSC is authorized to access cloud services. For more information, see Authorize DSC to access Alibaba Cloud resources.
Step 1: Authorize DSC to access ApsaraDB RDS
Log on to the DSC console.
In the left-side navigation pane, choose
.On the Authorization Management tab, click Asset Authorization Management.
In the left-side pane of the Asset Authorization Management panel, click RDS.
Optional. In the Asset Authorization Management panel, click Asset synchronization.
The first time you log on to DSC, DSC automatically synchronizes assets in the cloud. DSC scans for new assets at 00:00 every day and automatically synchronizes the new assets to unauthorized asset lists. If you want to authorize DSC to access the assets that are created on the current day, you must manually synchronize the assets.
Find the required asset and click Authorization in the Actions column.
If you want to authorize DSC to access multiple assets, select the assets and click Batch Authorize.
Step 2: Connect DSC to a database
Database connection mode
DSC collects and analyzes data stored in databases and database activities to provide data classification, data audit, security posture monitoring, and data de-identification capabilities. To provide these capabilities, DSC must connect to databases. DSC supports one-click connection and account-based connection modes.
Connection mode | Description | Supported asset type |
One-click connection | On the Authorization Management tab, click Connect. If you click Connect for a database on the Authorization Management tab, DSC creates a read-only account for the database and uses the read-only account to connect to the database to run data identification tasks. You cannot store de-identified data in the database. | ApsaraDB RDS, PolarDB, PolarDB-X (formerly known as DRDS), ApsaraDB for Redis, Object Storage Service (OSS), Tablestore, and MaxCompute |
Account-based connection | Enter an account including the username and password.
|
|
You can select a connection mode based on the preceding table and data security requirements.
If a database supports one-click connection and you do not need to use the database as the destination database of a de-identification task, we recommend that you use the one-click connection mode.
If you want to use a database as the destination database of a de-identification task, use the account-based connection mode and use an account that has read and write permissions to connect to the database.
The following section uses an ApsaraDB RDS instance as an example to describe the one-click connection and account-based connection modes.
One-click connection
After you connect DSC to a database by using the one-click connection mode, DSC creates and immediately runs a default data identification task. The task reads data from the database, which degrades the read performance of the database. We recommend that you perform one-click connection operations during off-peak hours.
Go the Authorization Management page, find the database that you want to manage, and then click Connect in the Actions column.
The first time you connect to a database on an instance, DSC creates a whitelist named ali_sddp_group for the instance. This allows DSC to obtain information about the databases on the instance. The whitelist contains IP addresses that are used by DSC. The IP addresses vary based on the region.
DSC creates a read-only account for the database on the instance. The account prefix is sddp_auto.
Click the icon next to the instance to view the connection status and feature status of the database.
Account-based connection
We recommend that you use an independent database account based on the principle of least privilege. Do not use a business account or an account that has the highest permissions.
Go the Authorization Management page, find the instance that you want to manage, and then click Account Logon in the Actions column.
In the Account Logon panel, find the database that you want to connect and click Add Credential in the Actions column.
In the Add Credential dialog box, select or clear Scan assets and identify sensitive data now., and click OK.
For more information about credential management, see Credential management.
If you connect DSC to a database during off-peak hours, you can select the Immediately scan database assets and identify data check box. Otherwise, clear the check box. If you clear the check box, DSC creates a default data identification task and runs the task at 00:00 the next day.
The first time you connect to a database on an instance, DSC creates a whitelist named ali_sddp_group for the instance. This allows DSC to obtain information about the databases on the instance. The whitelist contains IP addresses that are used by DSC. The IP addresses vary based on the region.
Click the icon next to the instance to view the connection status and feature status of the database.
What to do next
After you connect DSC to a database, DSC automatically creates a default data identification task.
If you click Connect on the Authorization Management page and select Immediately scan database assets and identify data., DSC immediately runs the default data identification task.
If you click Connect on the Authorization Management page and clear Immediately scan database assets and identify data., you must manually execute the default data identification task. To execute the task, choose
page. On the Identification Tasks tab, click Default Tasks, find the task, and then click Rescan.NoteOnly DSC Enterprise Edition supports the rescan operation. DSC Basic Edition does not support the rescan operation.
The system automatically uses the main identification template and the common identification template to scan the connected assets. By default, the main identification template is the Internet industry classification template. You can check the status of a data identification task to view the completion time of the data identification task.
View the completion time of the default data identification task. For more information, see View default identification task.
View data identification results. For more information, see View sensitive data identification results.