DAS Security Best Practices

Properly Managing Database Accounts and Passwords to Reduce Data Leakage Risks

1. Change the administrator password periodically.

   The default database administrator account root has elevated privileges. For enhanced security, you are advised to periodically change its password by following Editing a Database User.

2. Configure password complexity.

   As a collector of information, a database system is easy to be the target of attacks. You need to keep your database account and password secure. In addition, configure the complexity of your password to avoid using weak passwords.

3. Configure a password expiration policy.

   Using the same password too long makes it easier for hackers to crack or guess your password. You are advised to set a password expiration policy to limit the time for using the same password.

Enabling CTS to Review Cloud Users' Operations

• Cloud Trace Service (CTS) records operations on cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.
• After you enable CTS and create and configure a tracker, CTS can record management events of DAS. For details, see Enabling CTS.
• CTS allows you to query resources from multiple dimensions, which makes it easier to review operations and locate faults.

Collecting All Query Logs

You can enable Collect All Query Logs to improve security. For details, see Enabling SQL Insights.

1. All SQL operations are recorded to quickly locate the source of abnormal behaviors such as data leakage and mis-deletion.
2. Attacks such as SQL injection and brute-force attacks can be blocked in real time.
3. Unauthorized operations (such as high-risk commands) can be monitored to reduce internal risks.
4. Attack paths can be accurately restored to evaluate the extent of their impact.
5. The probability of malicious operations is reduced.

Using Fine-Grained Authorization to Control the Usage Scope of DAS Resources

1. Grant least privileges to IAM users with different roles to prevent data leakage or misoperations. To better isolate and manage permissions, you are advised to configure independent IAM administrators and grant them privileges to manage IAM policies. The IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access privileges to employees in different departments based on the principle of least privilege.
2. You are advised to use fine-grained authorization to control user privileges. Fine-grained policies are split by API. You can create custom privilege policies based on privileges required for DAS operations.

Isolating Networks for Data Synchronization

For security purposes, firewalls, ACL rules, and security groups can control database access on DAS.

Properly Using Authentication Credentials to Prevent Data Leakage

When you use code or API Explorer to call APIs, you need to obtain a token using an account password or AK/SK. You need to comply with the secure encoding rules, properly manage authentication credentials, and do not hardcode authentication information in plaintext.