Updated on 2026-07-07 GMT+08:00

Configuring an Audit Scope Rule

By default, database audit complies with a full audit rule, which is used to audit all databases that are connected to the database audit instance.

You can also set an audit scope and specify the databases to be audited.

You can check the audit scope rule list and enable, disable, edit, or delete these rules.

Prerequisites

  • The database audit instance is in the Running state.
  • Before enabling, editing, or deleting the audit scope, ensure that the status of audit scope is Disabled.
  • Before disabling the audit scope, ensure that the status of audit scope is Enabled.

Constraints and Limitations

  • By default, database audit complies with a full audit rule, which is used to audit all databases that are connected to the database audit instance. This audit rule is enabled by default. You can disable it but cannot delete it.
  • By default, the full audit rule takes effect even if other rules exist. To make another audit rule take effect, disable the full audit rule first.

Configuring an Audit Scope Rule

  1. Log in to the DBSS console.
  2. Click in the upper left corner on the displayed page and select a region.
  3. In the Instance drop-down list, select an instance.
  4. In the navigation tree on the left, choose Rules.

Checking the Audit Scope Rule List

Check the audit scope rule list. For details, see Table 1.

You can select an attribute from the search box above the list or enter a keyword to search for an audit scope.
Figure 1 Viewing the audit scope
Table 1 Parameters

Parameter

Description

Name

Name of the audit scope

Excluded IP Addresses (Optional)

Whitelisted IP addresses within the audit scope

Source IP Address (Optional)

IP address or IP address range used for accessing the database

Source Port (Optional)

Port number of the IP address to be audited

Database Name

Database in the audit scope

Database Account (Optional)

Database username

Status

Status of the audit scope. The options are as follows:

  • Enabled
  • Disabled

Adding an Audit Scope Rule

  1. Add Audit Scope above the audit scope list.
  2. In the displayed dialog box, set the audit scope, as shown in Figure 2. For details about related parameters, see Table 2.

    Figure 2 Add Audit Scope dialog box
    Table 2 Parameters

    Parameter

    Description

    Example Value

    Name

    Name of the custom audit scope

    audit00

    Database Name

    Select a database or ALL.

    db03

    Operation Type (Optional)

    Audited operation type. It can be Login or Operation.

    When you select the Operation check box, you can select All operations or the operations in DDL, DML, and DCL.

    NOTE:

    The operation type of agent-free audit depends on the recognition result of RDS. For example, CREATE USER and CREATE TABLE statements may be recognized as CREATE, DROP USER and DROP TABLE statements may be recognized as DROP, and SELECT FOR UPDATE statements may be recognized as SELECT. For details about how to view the operation type of an SQL statement, see Viewing SQL Statement Details.

    Login

    Database Account (Optional)

    (Optional) Database username.

    You can specify multiple accounts, separated by commas (,).

    -

    Excluded IP Addresses (Optional)

    (Optional) IP addresses that do not need to be audited.

    NOTE:

    If an IP address is set as both a source and an exception IP address, the IP address will not be audited.

    -

    Source IP Address (Optional)

    (Optional) IP address or IP address range used for accessing the database to be audited

    The IP address must be an internal IP address in IPv4 or IPv6 format.

    -

    Source Port (Optional)

    (Optional) Port number used for accessing the database to be audited

    -

  3. Click OK.

    After the audit scope is added, it will be displayed in the audit scope list and in the Enabled state.

Enabling an Audit Scope Rule

In the Operation column of an audit scope rule, click Enable. Database audit will be performed on the databases within the scope.

Disabling an Audit Scope Rule

  1. In the Operation column of an audit scope rule, click Disable.
  2. In the displayed dialog box, click OK.

    When the audit scope is disabled, the audit scope rule will not be executed in the audit.

Editing an Audit Scope Rule

Only custom audit scope rules can be edited.

  1. In the Operation column of an audit scope rule, click Edit.
  2. In the displayed dialog box, modify the audit scope and click OK.

Deleting an Audit Scope Rule

Only custom audit scope rules can be deleted.

  1. In the Operation column of an audit scope rule, click Delete.
  2. In the displayed dialog box, enter DELETE and click OK.

    To set a database audit scope for the instance after the deletion, add an audit scope rule again.

References

  • You can add a custom SQL rule to audit all the database connected to database audit. For details, see Configuring SQL Injection Rules.
  • You can add a risky operation rule to audit risky operations on databases. For details, see Managing Risky Operation Rules.
  • To mask sensitive information in entered SQL statements, you can enable the function of masking privacy data and configure masking rules to prevent sensitive information leakage. For details, see Configuring Privacy Data Protection Rules.
  • You can add trusted SQL statements to the whitelist. Database audit will ignore whitelisted SQL statements. For details, see Configuring SQL Whitelist.