Security Best Practices

Connecting to a DB Instance over a Private Network

1. Connecting a DB instance over DAS

   Data Admin Service (DAS) enables you to connect to and manage DB instances with ease on a web-based console. By default, you have the permissions required for remote login. It is recommended that you use DAS to log in to DB instances. DAS is secure and convenient. For details, see Connecting to a DB Instance Using DAS (Recommended).

2. Connecting a DB instance over the private IP address

   If your application is deployed on an ECS that is in the same region and VPC as a DB instance, you are advised to use the private IP address of the DB instance to connect to the ECS for high security and performance. For details, see Connecting to a DB Instance over a Private Network.

Configuring Access Control Permissions

Access control can prevent your data from being stolen or damaged.

1. Configuring only the minimum permissions for IAM users with different roles

   To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege. For details, see Permissions Management.

2. Configuring security group rules

   After a DB instance is created, you can configure inbound and outbound security group rules to control access to and from your instance. This can prevent untrusted third parties from connecting to your DB instance. For details, see Configuring Security Group Rules.

3. Using a non-default port

   The default port of GaussDB(for MySQL) is 3306, which is vulnerable to scanning attacks. You are advised to change it to a non-default port. For details, see Changing a Database Port.

4. Periodically changing the administrator password
5. Using different non-administrator accounts to manage databases

   You can create different read-only or read/write accounts for database management based on actual requirements. For details, see Creating a Database Account.

6. Enabling multi-factor authentication for critical operations

   GaussDB(for MySQL) supports critical operation protection. After this function is enabled, the system authenticates your identity when you perform critical operations like deleting a DB instance, to further secure your data and configurations. For details, see Critical Operation Protection.

Building Disaster Recovery Capabilities

Build restoration and disaster recovery (DR) capabilities in advance to prevent data from being deleted or damaged accidentally in the event of failures.

1. Configuring an automated backup policy

   When you create a DB instance, an automated backup policy is enabled by default. For security purposes, the automated backup policy cannot be disabled. After the instance is created, you can customize the automated backup policy as required. GaussDB(for MySQL) backs up data based on the automated backup policy you configure. GaussDB(for MySQL) backs up data at the DB instance level, rather than the database level. If a database is faulty or data is damaged, you can still restore it from backup to ensure data reliability. Backing up data affects the database read and write performance, so you are advised to set the automated backup time window to off-peak hours. For details, see Configuring a Same-Region Backup Policy.

2. Enabling cross-region backup

   GaussDB(for MySQL) can store backups in a different region from the DB instance for disaster recovery. If the DB instance ever fails, you can use backups in the other region to restore data to a new DB instance. For details, see Configuring a Cross-Region Backup Policy.

Keeping Data in Transit Safe

1. Using HTTPS to access data

   Hypertext Transfer Protocol Secure (HTTPS) is a protocol that guarantees the confidentiality and integrity of communications between clients and servers. You are advised to use HTTPS for data access.

2. Using SSL to connect to a DB instance

   Secure Socket Layer (SSL) is an encryption-based Internet security protocol for establishing secure links between a server and a client. It provides privacy, authentication, and integrity to Internet communications. SSL encrypts data to prevent data theft and maintains data integrity to ensure that data is not modified in transit. For details, see Configuring SSL.

Auditing GaussDB(for MySQL) Operation Logs to Check Exceptions

1. Enabling CTS to record all GaussDB(for MySQL) access operation

   Cloud Trace Service (CTS) records operations on cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.

   After you enable CTS and configure a tracker, CTS can record management and data traces of GaussDB(for MySQL) for auditing. For details, see Key Operations Supported by CTS.

2. Enabling SQL Explorer to record all SQL statements

   Enabling SQL Explorer will allow GaussDB(for MySQL) to store all SQL statement logs for analysis. For details, see Enabling or Disabling SQL Explorer.

3. Using Cloud Eye for real-time monitoring on security events

   Huawei Cloud Eye is available to monitor your DB instance, report alarms, and send notifications in real time, so that you can have a clear understanding of the status and alarm events of your DB instance.

   You do not need to separately subscribe to Cloud Eye. It starts automatically once you create a resource (a GaussDB(for MySQL) DB instance, for example).

   For details, see What Is Cloud Eye?

Using the Latest SDKs for Better Experience and Security

You are advised to use the latest version of SDK to better use GaussDB(for MySQL) and protect your data. To download the latest SDK for each language, see SDK Overview.