Help Center/ Relational Database Service_RDS for MySQL/ User Guide/ Security and Encryption/ Configuring Dynamic Data Masking for an RDS for MySQL Instance
Updated on 2025-08-20 GMT+08:00
View PDF
Share

Configuring Dynamic Data Masking for an RDS for MySQL Instance

Function

Dynamic data masking is a security technology that masks data when databases send data to clients. RDS for MySQL allows you to add masking rules to mask data in specified databases, tables, and columns.

Figure 1 Topology

If dynamic data masking is enabled and a full-field masking rule (add_mask_rule('', '', '', '')) is configured, the database performance loss is within 5% under the following conditions when sysbench is used to perform a stress test: There are 128 tables each with 25,000 rows of data imported to the instance, and the QPS is about 400,000.

QPS stands for queries per second.

Supported Versions

To use this function, the kernel version of your instance must be 8.0.32.250300 or later.

Constraints

  • This function can take effect only for SELECT statements.
  • The masking rules are not applied to system databases. System databases include mysql, information_schema, performance_schema, and sys.
  • Spaces and special null characters (such as '\t', '\r', and '\n') at the beginning and end of a database name, table name, column name, or username will be ignored.
  • A database name, table name, or column name should be no longer than 64 bytes. A username should be no longer than 32 bytes.
  • The administrator list (the value of rds_dynamic_masking_super_users) should be no longer than 1,024 bytes.
  • The masking method varies depending on the data type. For details, see Table 1.
    Table 1 Data masking

    Data Type

    After Masking

    Integer (TINYINT, SMALLINT, MEDIUMINT, INT, BIGINT, and BOOLEAN)

    A positive integer

    Decimal (DECIMAL, FLOAT, and DOUBLE)

    Time (YEAR)

    Time (DATE, TIME, DATETIME, and TIMESTAMP)

    DATE: [1000:01:01,9999:12:31.499999]

    TIME: [00:00:00,838:59:59.499999]

    DATETIME and TIMESTAMP: [1971:01:01 00:00:00, 2037:12:31 23:59:59.49999]

    String

    ******

Parameters for Dynamic Data Masking

Table 2 Parameter description

Parameter

Level

Description

rds_dynamic_masking_enabled

Global

Whether to enable dynamic data masking. The default value is OFF.

rds_dynamic_masking_super_users

Global

Multiple administrator accounts can be configured. The default value is an empty string ('').

Use commas (,) to separate administrator accounts. The masking rules do not take effect for administrators. Example: 'user1,user2'

rds_masking_paramter_max_count

Global

The maximum number of database names, table names, column names, or usernames that can be configured. Default value: 100; value range: [1, 1000]

Usage

Adding a masking rule

  • Syntax 
    CALL dbms_mask.add_mask_rule(
         db_name text,
         table_name text,
         column_name text,
         user_name text);
    Table 3 Parameter description

    Parameter

    Type

    Description

    db_name

    text

    The name of the database that the masking rule is to be applied to.

    You can configure multiple database names separated by commas (,). If db_name is set to an empty string (''), the masking rule takes effect for all databases.

    table_name

    text

    The name of the table that the masking rule is to be applied to.

    You can configure multiple table names separated by commas (,). If table_name is set to an empty string (''), the masking rule takes effect for all tables in the database specified by db_name.

    column_name

    text

    The name of the column that the masking rule is to be applied to.

    You can configure multiple column names separated by commas (,). If column_name is set to an empty string (''), the masking rule takes effect for all columns of the table specified by table_name in the database specified by db_name.

    user_name

    text

    The name of the user that the masking rule is to be applied to.

    You can configure multiple usernames separated by commas (,). If user_name is set to an empty string (''), the masking rule takes effect for all users (excluding administrators).
  • Permission constraints

    Only the root user can add masking rules.

  • Operation Examples
    • Add a masking rule to mask data in columns col_a and col_b of table tab_a in databases db_1 and db_2 for users user1 and user2. 
      CALL dbms_mask.add_mask_rule('db_1,db_2', 'tab_a', 'col_a,col_b', 'user1,user2');
    • Add a masking rule to mask data in all columns of all tables in all databases for all users. 
      CALL dbms_mask.add_mask_rule('', '', '', '');

Querying masking rules

  • Syntax 
    CALL dbms_mask.show_mask_rule();
  • Permission constraints

    All users can query masking rules.

  • Operation Examples 
    CALL dbms_mask.show_mask_rule();

Deleting a masking rule

  • Syntax 
    CALL dbms_mask.delete_mask_rule(mask_id bigint);
    Table 4 Parameter description

    Parameter

    Type

    Description

    mask_id

    bigint

    Masking rule ID.
  • Permission constraints

    Only the root user can delete masking rules.

  • Operation Examples

    Delete the masking rule whose ID is 2.

    CALL dbms_mask.delete_mask_rule(2);

Updating a masking rule

  • Syntax 
    CALL dbms_mask.update_mask_rule(
         mask_id bigint,
         enabled enum('N','Y'),
         db_name text,
         table_name text,
         column_name text,
         user_name text);
    Table 5 Parameter description

    Parameter

    Type

    Description

    mask_id

    bigint

    Masking rule ID.

    enabled

    enum

    Whether the masking rule is enabled. The options are Y (enabled) and N (disabled).

    db_name

    text

    The name of the database that the masking rule is to be applied to. You can configure multiple database names separated by commas (,). If db_name is set to an empty string (''), the masking rule takes effect for all databases.

    table_name

    text

    The name of the table that the masking rule is to be applied to. You can configure multiple table names separated by commas (,). If table_name is set to an empty string (''), the masking rule takes effect for all tables in the database specified by db_name.

    column_name

    text

    The name of the column that the masking rule is to be applied to. You can configure multiple column names separated by commas (,). If column_name is set to an empty string (''), the masking rule takes effect for all columns of the table specified by table_name in the database specified by db_name.

    user_name

    text

    The name of the user that the masking rule is to be applied to. You can configure multiple usernames separated by commas (,). If user_name is set to an empty string (''), the masking rule takes effect for all users (excluding administrators).
  • Permission constraints

    Only the root user can update masking rules.

  • Operation Examples

    Update the status of masking rule 1 to disabled. This rule is used to mask data in all columns of table tab_1 in database db_test for user1.

    CALL dbms_mask.update_mask_rule(1,'N','db_test', 'tab_1', '', 'user1');

Enabling a masking rule

  • Syntax 
    CALL dbms_mask.enable_mask_rule(mask_id bigint);
    Table 6 Parameter description

    Parameter

    Type

    Description

    mask_id

    bigint

    Masking rule ID.
  • Permission constraints

    Only the root user can enable masking rules.

  • Operation Examples

    Enable the masking rule whose ID is 2.

    CALL dbms_mask.enable_mask_rule(2);

Disabling a masking rule

  • Syntax 
    CALL dbms_mask.disable_mask_rule(mask_id bigint);
    Table 7 Parameter description

    Parameter

    Type

    Description

    mask_id

    bigint

    Masking rule ID.
  • Permission constraints

    Only the root user can disable masking rules.

  • Operation Examples

    Disable the masking rule whose ID is 2.

    CALL dbms_mask.disable_mask_rule(2);
Parent Topic: Security and Encryption