Database Account Security

Account Password Complexity

For details about the database password strength requirements on the RDS console, see the basic settings and connectivity table in Buying an RDS for MySQL Instance.

When you are creating a DB instance, the password strength is checked. You can modify the password strength as user root. For security reasons, the new password strength must be at least as strong as the initial setting.

Account Description

To provide O&M services, the system automatically creates system accounts when you create RDS for MySQL DB instances. These system accounts are unavailable to you.

Attempting to delete, rename, and change passwords or permissions for these accounts will result in an error. Exercise caution when performing these operations.

• rdsAdmin: a management account with the highest privileges. It is used to query and modify instance information, rectify faults, migrate data, and restore data.
• rdsRepl: a replication account. It is used to synchronize data from a primary instance to its standby instance or read replicas.
• rdsBackup: a backup account. It is used to back up data in the background.
• rdsMetric: a metric monitoring account. It is used by watchdog to collect database status data.
• rdsProxy: a proxy account. It is automatically created when Database Proxy is enabled and is used for authentication when a database is connected through a read/write splitting address.
• rdsFillBinlog: a binlog synchronization account. If binlogs are not synchronized during a primary/standby switchover, this account is created to synchronize binlogs.

Setting Password Complexity

1. Log in to the management console.
2. Click in the upper left corner and select a region and a project.
3. Click in the upper left corner of the page and choose Database > Relational Database Service.
4. On the Instances page, click the DB instance to go to the Basic Information page.

   Passwords must:

   • Consist of at least eight characters.
   • Contain at least one uppercase letter, one lowercase letter, one digit, and one special character.
   • Must be different from the username.

5. In the navigation pane on the left, choose Parameters. On the displayed page, modify the required parameters.

   The following parameters can be modified only for RDS for MySQL 5.6 and 5.7.

   • validate_password_length: Set this parameter to 8.
   • validate_password_mixed_case_count: Set this parameter to 1.
   • validate_password_number_count: Set this parameter to 1.
   • validate_password_special_char_count: Set this parameter to 1.
   • validate_password_policy: Set this parameter to MEDIUM.

6. Perform the following operations as required.
   • To save the modifications, click Save.
   • To cancel the modifications, click Cancel.
   • To preview the modifications, click Preview.

7. After the parameters are modified, choose whether to reboot the instance based on the information in the Effective upon Reboot column.
   • If Yes is displayed and the DB instance status on the Instances page is Parameter change. Pending reboot, a reboot is required for the modifications to take effect.
     • If you have modified parameters of a primary DB instance, you need to reboot the primary DB instance for the modifications to take effect. (For primary/standby DB instances, the parameter modifications are also applied to the standby DB instance.)
     • If you have modified parameters of a read replica, you need to reboot the read replica for the modifications to take effect.
   • If all values are No, the modifications are applied immediately without rebooting the instance.