Data Security Center (DSC) provides the whitelist feature, which allows you to add trusted accounts and IP addresses in your data assets to a whitelist. DSC does not generate audit alerts for data assets whose accounts or IP addresses are added to the whitelist. This helps reduce invalid alerts. This topic describes how to create, modify, and delete a whitelist.
Prerequisites
Authorization of data assets that are supported by the whitelist feature is complete.
For more information about the authorization for ApsaraDB RDS, PolarDB, PolarDB for Xscale, ApsaraDB for OceanBase, Tablestore, AnalyticDB for MySQL, and AnalyticDB for PostgreSQL, see Authorize DSC to access databases.
For more information about the authorization for Object Storage Service (OSS), see Authorize DSC to access unstructured data in OSS and Simple Log Service.
For more information about the authorization for MaxCompute, see Authorize DSC to access MaxCompute.
Background information
DSC generates audit alerts for risk activities on authorized data assets. By default, built-in audit alert rules for data assets are enabled.
Built-in audit alert rules are classified into the following types: abnormal operation rules, data leak rules, vulnerability attack rules, SQL injection rules, and risk operation rules. You can also create and enable a custom audit alert rule. For more information, see Configure and enable audit alert rules.
If you confirm that the database operations performed by using an IP address or account are normal, you can create a whitelist and add the IP address or account to the whitelist. If an audit alert hits the whitelist in subsequent detections, DSC no longer generates alerts for the operations or events that trigger the audit alert rule in databases or OSS.
If you add an audit alert to a whitelist, content such as accounts and IP addresses in the audit alert is displayed in the list of whitelists. The name of the whitelist is in the Alert generation time + Name of the audit alert rule
format. Example: 2024-05-21 20:58:09 OSS rule test
. For more information, see View and handle audit alerts.
Limits
When you create a whitelist, take note of the following items:
You can select only one asset type.
You must specify at least an account, IP address, or CIDR block.
The total number of IP addresses and CIDR blocks cannot exceed 10. The total number of accounts cannot exceed 10.
If you specify multiple instances and accounts, the logical relationship among the instances or accounts is OR, and the logical relationship between the instances and accounts is AND. For example, you add Instance A, Instance B, Account A, and Account B to a whitelist. The system performs matching based on the following rule: Instance A or Instance B, and Account A or Account B.
Description
After you create, modify, or delete a whitelist, the operation takes effect on audit and exception alerts within 1 minute.
Create a whitelist
If you do not need to audit or check asset-related information such as specific accounts, IP addresses, or CIDR blocks, you can add the information to a whitelist.
Log on to the DSC console.
On the System Settings page, click the Whitelist tab.
On the Whitelist page, click Add Entry.
In the Add Entry panel, configure the parameters and click OK.
Parameter
Description
Rule Name
Enter a whitelist name. We recommend that you enter a name that can help you identify the whitelist. The value can be up to 100 characters in length.
IP
Enter the IP addresses or CIDR blocks that you want to add to the whitelist.
The total number of IP addresses or CIDR blocks cannot exceed 10. Separate multiple IP addresses or CIDR blocks with line feeds or commas (,).
Data Assets
Select an asset type and then select asset-related information such as ApsaraDB RDS instances, databases, table names, and accounts.
You can select multiple instances and accounts. You can click the Account drop-down list and click Add Account at the end of the list to add custom accounts.
Action Type
By default, all action types are displayed. You can select one or more action types for the specified data assets based on your business requirements.
After you create the whitelist, you can search for and view the whitelist by asset type, account, IP address, or instance name in the list of whitelists.
Modify or delete a whitelist
If you want the system to monitor data assets that use specific IP addresses or accounts in a whitelist, you can modify or delete the whitelist.
You cannot change the asset type when you modify an existing whitelist.
Log on to the DSC console.
On the System Settings page, click the Whitelist tab.
Find the whitelist that you want to manage and click Modify or Delete in the Actions column.
References
You can use Alibaba Cloud SDKs to call the following API operations to query information about authorized data assets. For more information about the supported programming languages and the required dependencies, see Data Security Center SDK. For more information about how to integrate Alibaba Cloud SDKs, see Alibaba Cloud SDKs.
You can query data assets such as instances, databases, and OSS buckets that DSC is authorized to scan. For more information, see DescribeDataLimits.
You can query data assets, such as instances, databases, and OSS buckets, that DSC is authorized to scan in a specific service. For more information, see DescribeDataLimitSet.