Logo of Trend Micro

Enable SQL Auditing for RDS Database Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (Not acceptable risk)

Ensure that SQL auditing is enabled for Alibaba Cloud RDS database instances in order to help you identify security vulnerabilities and performance challenges in your databases through the collection and analysis of raw SQL logs.

Performance
efficiency
Operational
excellence

SQL auditing monitors database events and records them in an audit log within your Alibaba Cloud account. This process supports the adherence to regulatory standards, facilitates comprehension of database operations, and provides a means to detect irregularities and anomalies that may signify business issues or potential security breaches.

Audit

To determine if SQL auditing is enabled for your RDS database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Select the cloud region where your RDS instances reside from the top navigation bar.

05 Click on the ID (link) of the SQL database instance that you want to examine, listed in the Instance ID/Name column.

06 In the RDS resource navigation panel, under Autonomy Services, choose SQL Explorer and Audit, and check the following information:

  1. If one of the following cloud regions is selected: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Guangzhou), China (Heyuan), China (Zhangjiakou), China (Ulanqab), China (Hong Kong), and Singapore, SQL auditing is managed by the new version of the SQL Explorer and Audit feature. The new version of the SQL Explorer and Audit feature requires the DAS Enterprise Edition for Database Autonomy Service (DAS). If the SQL Explorer and Audit dashboard is not available, instead a Getting Started page with the Enable button is displayed, SQL auditing with the SQL Explorer and Audit feature is not enabled for the selected RDS database instance.
  2. If one of the following regions is selected: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Heyuan), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta), SQL auditing is managed by the old version of the SQL Explorer and Audit feature. If the SQL Explorer and Audit dashboard is not available, instead a Getting Started page with the Enable button is displayed, SQL auditing with SQL Explorer and Audit is not enabled for the selected RDS database instance.
  3. If other cloud regions are selected, SQL auditing is managed by the SQL Explorer feature. If the SQL Explorer dashboard is not available, instead a Getting Started page with the following message is displayed: Try SQL Explorer Now, SQL auditing with SQL Explorer is not enabled for the selected RDS database instance. If Autonomy Services is not listed in the navigation panel, navigate to Database Autonomy Service (DAS) console at https://hdm.console.aliyun.com/, choose Instance Monitoring, select the correct tab, and check for the name of your RDS instance in the Instance column. If there is no DAS instance available for your RDS instance, SQL auditing with SQL Explorer is not enabled for the selected RDS database instance.

07 Repeat steps no. 5 and 6 for each database instance provisioned in your Alibaba Cloud account.

08 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run DescribeDBInstances command (OSX/Linux/UNIX) with custom output filters to list the ID of each RDS database instance available within the specified region: 

aliyun rds DescribeDBInstances
  --RegionId 'eu-west-1'
  --output cols=DBInstanceId

02 The command output should return a list with the requested database instance identifiers: 

DBInstanceId
------------
rm-abcd1234abcd1234
rm-1234abcd1234abcd

03 Run DescribeSQLCollectorPolicy command (OSX/Linux/UNIX) with the name of the RDS database instance that you want to examine as the identifier parameter, to determine if SQL auditing is enabled for the selected RDS instance: 

aliyun rds DescribeSQLCollectorPolicy
  --region eu-west-1
  --DBInstanceId 'rm-abcd1234abcd1234'
  --output cols=SQLCollectorStatus

04 The command output should return the requested feature status: 

SQLCollectorStatus
------------------
Disabled

If the "SQLCollectorStatus" attribute value is set to Disabled, as shown in the example above, SQL auditing is not enabled for the selected RDS database instance.

05 Repeat steps no. 3 and 4 for each database instance provisioned within your Alibaba Cloud account.

06 Change the cloud region using the --RegionId parameter and perform the Audit process for other regions.

Remediation / Resolution

To enable SQL auditing for your Alibaba Cloud RDS database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Select the cloud region where your RDS instances reside from the top navigation bar.

05 Click on the ID (link) of the SQL database instance that you want to configure, listed in the Instance ID/Name column.

06 In the RDS resource navigation panel, under Autonomy Services, choose SQL Explorer and Audit, and perform the following actions:

  1. If one of the following cloud regions is selected: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Guangzhou), China (Heyuan), China (Zhangjiakou), China (Ulanqab), China (Hong Kong), and Singapore, SQL auditing is managed by the new version of the SQL Explorer and Audit feature. The new version of the SQL Explorer and Audit feature requires the DAS Enterprise Edition for Database Autonomy Service (DAS). If your RDS instance edition is High-Availability, Cluster, or Enterprise, you can upgrade to DAS Enterprise Edition using the RDS or DAS console. If your instance edition is Basic, you can use the DAS console to upgrade to DAS Enterprise Edition. Choose Enable from the SQL Explorer and Audit section to enable SQL auditing with the new version of SQL Explorer and Audit for the selected RDS database instance.
  2. If one of the following regions is selected: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Heyuan), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta), SQL auditing is managed by the old version of the SQL Explorer and Audit feature. Choose Enable from the SQL Explorer and Audit section to enable SQL auditing with the old version of SQL Explorer and Audit for the selected RDS instance. The old version of the feature also requires the DAS Enterprise Edition for Database Autonomy Service (DAS). If your RDS instance edition is High-Availability, Cluster, or Enterprise, you can upgrade to DAS Enterprise Edition using the RDS or DAS console. On the DAS Professional Edition page, select Professional Edition, choose Buy Now, select I have read and agree to DAS Professional Edition Agreement of Service, and choose Pay to upgrade to DAS Enterprise Edition. If your instance edition is Basic, you can use the DAS console to upgrade to DAS Enterprise Edition.
  3. If other cloud regions are selected, SQL auditing is managed by the SQL Explorer feature. Choose Official Edition from the Try SQL Explorer Now section to enable SQL auditing with SQL Explorer for the selected RDS database instance. To get access to a 15-day trial version of the SQL Explorer, choose Trial Version instead of Official Edition. During the trial period, all features of the SQL Explorer service are available. In the Storage Duration configuration box, select the necessary SQL log storage duration, and choose OK. SQL audit logs are deleted after the selected duration. If Autonomy Services is not listed in the navigation panel, navigate to Database Autonomy Service (DAS) console at https://hdm.console.aliyun.com/, select Overview, and choose Upgrade to upgrade to upgrade to DAS Enterprise Edition. If your RDS instance edition is High-Availability, Cluster, or Enterprise, you can upgrade to DAS Enterprise Edition using the DAS console. If your instance edition is Basic, you can upgrade the RDS instance edition to enable SQL auditing.

07 Repeat steps no. 5 and 6 for each RDS database instance available in your Alibaba Cloud account.

08 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.

Using Alibaba Cloud CLI

01 Run ModifySQLCollectorPolicy command (OSX/Linux/UNIX) to enable SQL auditing for the selected RDS database instance: 

aliyun rds ModifySQLCollectorPolicy 
  --region eu-west-1 
  --DBInstanceId 'rm-abcd1234abcd1234' 
  --SQLCollectorStatus Enable

02 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Repeat steps no. 1 and 2 for each RDS database instance available within your Alibaba Cloud account.

04 Change the cloud region using the --region parameter and perform the Remediation process for other regions.

References

Publication date Feb 26, 2024

Related AlibabaCloud-RDS rules