Help Center/ Database Security Service/ Best Practices/ Auditing an RDS DB Instance (Without Agents)
Updated on 2023-06-16 GMT+08:00

Auditing an RDS DB Instance (Without Agents)

Overview

This section describes how to audit the security of a relational database instance. (Applications connected to this DB instance are deployed on ECS.) DBSS can audit certain types of relational databases without installing agents.

  • If the database you want to audit is included in Table 1, use DBSS to audit your database without installing agents by referring to this section.
    Table 1 Agent-free relational databases

    Database Type

    Supported Edition

    GaussDB(for MySQL)

    All editions are supported by default.

    RDS for SQLServer

    All editions are supported by default.

    RDS for MySQL

    • 5.6 (5.6.51.1 or later)
    • 5.7 (5.7.29.2 or later)
    • 8.0 (8.0.20.3 or later)

    GaussDB(DWS)

    • 8.2.0.100 or later

    PostGresql

    • 14 (14.4 or later)
    • 13 (13.6 or later)
    • 12 (12.10 or later)
    • 11 (11.15 or later)
    • 9.6 (9.6.24 or later)
    • 9.5 (9.5.25 or later)
  • If the database you want to audit is not included in Table 1, see Auditing an RDS DB instance (with Agents).

DBSS without agents is easy to configure and use, but the following functions are not supported:

  • Successful and failed login sessions cannot be counted.
  • The port number of the client for accessing the database cannot be obtained.

GaussDB(DWS) has the permission control policy for the log audit function. Only Huawei Cloud accounts and users with the Security Administrator permission can enable or disable the DWS database audit function.

Solution Architecture

The DBSS instance receives the logs sent from databases, such as certain GaussDB(for MySQL) or RDS for MySQL versions, and saves the logs to its log library for security analysis, aggregation statistics, and compliance analysis.

Figure 1 Auditing an RDS DB instance (without agents)

Take the GaussDB(for MySQL) database as an example. Assume you need to locate and track internal violations and improper operations in the database to meet compliance requirements. This section describes how to enable the database audit function and check audit results.

Table 2 Database example

Database Type

RDS database

Database Type

GaussDB(for MySQL)

Version

MySQL 8.0

IP Address

192.168.0.237

Database Port

3306

Limitations and Constraints

The database audit instance and the database to be audited must be in the same region.

Step 1: Purchase Database Audit

Configure and purchase the database audit service. For details, see Purchasing Database Audit.

Step 2: Add a Database and Enable Audit

After purchasing database audit, add a database to the database audit instance and enable audit for the database.

  1. Log in to the management console.
  2. Select a region and click . Choose Security & Compliance > Database Security Service. The Dashboard page is displayed.
  3. In the navigation pane, choose Databases.
  4. Select an instance from the Instance drop-down list. Click Add Database.
  5. In the displayed dialog box, set database parameters described in Table 2.

    Figure 2 Adding a database

  6. Click OK. The database will be displayed in the database list and its Audit Status will be Disabled.

    Figure 3 Database list

  7. In the database list, view the information in the Agent column.

    • If the message No agent needs to be added is displayed, the database can be audited without installing agents. In this case, go to step 8.
      Figure 4 No agent needs to be added
    • If Add is displayed, the database can be audited only after an agent is added. In this case, click Add in the Agent column. For details, see Auditing an RDS DB instance (with Agents).
      Figure 5 Adding an agent

  8. In the Operation column of the database, click Enable.

    Figure 6 Enabling database audit

Step 3: Viewing the Audit Result

You can check audit results on the dashboard page, or generate, preview, or download reports.

  1. Check overview information.

    In the navigation pane, choose Dashboard.

    The Dashboard page displays the audit duration, total number of SQL statements and risks, statements and risks today, and today's sessions of an instance.

    You can click the Statements or Sessions tab to view session distribution.

  2. Generate, download, or preview reports.

    1. In the navigation pane, choose Reports.
    2. Select an instance from the Instance drop-down list. Click the Report Management tab.
    3. In the Operation column of a report template, click Generate Report.
    4. In the displayed dialog box, click to set the start time and end time of the report, and select the database for which you want to generate a report.
    5. Click OK.

      See Figure 7.

      To preview a report online, use Google Chrome or Mozilla FireFox.

      Figure 7 Previewing or downloading an audit report