Enable SQL Auditing for MySQL Database Instances

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Select the cloud region where your RDS instances reside from the top navigation bar:

1. For the following cloud regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Heyuan), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta), SQL auditing is managed by the SQL Explorer and Audit feature. SQL Explorer and Audit is an upgrade to SQL Explorer and requires the DAS Enterprise Edition for Database Autonomy Service (DAS). These regions will be referred to as DAS supported regions.
2. For all regions other than the preceding regions, SQL auditing is managed by the SQL Explorer feature (formerly SQL Audit). These regions will be referred to as DAS unsupported regions.

05 Click on the filter icon in the Database Engine column, select MySQL, and choose OK to list only the MySQL database instances available in the selected region.

06 Click on the ID (link) of the database instance that you want to examine, listed in the Instance ID/Name column.

07 In the Basic Information section, check the Type and Edition attribute value to determine the RDS instance edition configured for the selected database instance.

08 Based on the RDS instance edition used by your database instance, perform one of the following actions:

1. If your instance edition is High-Availability, Cluster, or Enterprise, choose SQL Explorer and Audit under Autonomy Services, and check the SQL Explorer and Audit dashboard based on the instance region:
   1. For DAS supported regions: if the SQL Explorer and Audit dashboard is not available, instead a Getting Started page with an Enable button is displayed, SQL auditing with the SQL Explorer and Audit feature is not enabled for the selected MySQL database instance.
   2. For DAS unsupported regions: if the dashboard is not available, instead a Getting Started page with the following message is displayed: Try SQL Explorer Now, SQL auditing with SQL Explorer is not enabled for the selected MySQL database instance.
2. If your instance edition is Basic and Autonomy Services is not available in the navigation panel, access the Database Autonomy Service (DAS) console available at https://hdm.console.aliyun.com/, choose Instance Monitoring, select the MySQL tab, click on the name of the associated DAS instance, select SQL Explorer and Audit under Request Analysis, and check the SQL Explorer and Audit dashboard based on the instance region:
   1. For DAS supported regions: if the SQL Explorer and Audit dashboard is not available, instead a Getting Started page with an Enable button is displayed, SQL auditing with the SQL Explorer and Audit feature is not enabled for the selected MySQL database instance.
   2. For DAS unsupported regions: if the dashboard is not available, instead the following message is displayed: Instances of this region do not support the SQL Explorer and Audit feature, SQL auditing with SQL Explorer is not enabled for the selected MySQL database instance.

09 Repeat steps no. 6 - 8 for each MySQL database instance available in the selected region.

10 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

01 Run DescribeDBInstances command (OSX/Linux/UNIX) with custom output filters to list the ID of each MySQL database instance available within the specified region:

aliyun rds DescribeDBInstances
  --RegionId 'eu-west-1'
  --Engine MySQL
  --output cols=Items.DBInstance[].DBInstanceId

02 The command output should return a list with the requested RDS instance identifiers:

Items.DBInstance[].DBInstanceId
-------------------------------
[rm-abcd1234abcd1234]
[rm-1234abcd1234abcd]

03 Run DescribeSQLCollectorPolicy command (OSX/Linux/UNIX) with the name of the MySQL database instance that you want to examine as the identifier parameter, to determine if SQL auditing is enabled for the selected RDS instance:

aliyun rds DescribeSQLCollectorPolicy
  --DBInstanceId 'rm-abcd1234abcd1234'
  --output cols=SQLCollectorStatus

04 The command output should return the requested feature status:

SQLCollectorStatus
------------------
Disabled

05 Repeat steps no. 3 and 4 for each MySQL database instance available within the selected region.

06 Change the cloud region using the --RegionId parameter and perform the Audit process for other regions.

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Select the cloud region where your RDS instances reside from the top navigation bar:

1. For the following cloud regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Heyuan), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta), SQL auditing is managed by the SQL Explorer and Audit feature. SQL Explorer and Audit is an upgrade to SQL Explorer and requires the DAS Enterprise Edition for Database Autonomy Service (DAS). These regions will be referred to as DAS supported regions.
2. For all regions other than the preceding regions, SQL auditing is managed by the SQL Explorer feature (formerly SQL Audit). These regions will be referred to as DAS unsupported regions.

05 Click on the filter icon in the Database Engine column, select MySQL, and choose OK to list only the MySQL database instances available in the selected region.

06 Click on the ID (link) of the database instance that you want to configure, listed in the Instance ID/Name column.

07 In the Basic Information section, check the Type and Edition attribute value to determine the RDS instance edition configured for the selected database instance.

08 Based on the RDS instance edition used by your database instance, perform one of the following actions:

1. If your RDS instance edition is High-Availability, Cluster, or Enterprise, choose SQL Explorer and Audit under Autonomy Services, and perform one of the following actions based on the instance region:
   1. For DAS supported regions: choose Enable from the SQL Explorer and Audit section to enable SQL auditing with the SQL Explorer and Audit feature for the selected MySQL database instance. On the SQL Explorer and Audit dashboard, choose Upgrade from the top banner to upgrade to DAS Enterprise Edition. On the DAS Professional Edition page, select Professional Edition, choose Buy Now, select I have read and agree to DAS Professional Edition Agreement of Service, and choose Pay to complete the upgrade process. You can also upgrade to DAS Enterprise Edition using the (Database Autonomy Service (DAS) console)(https://hdm.console.aliyun.com/).
   2. For DAS unsupported regions: choose Official Edition from the Try SQL Explorer Now section to enable SQL auditing with SQL Explorer for the selected MySQL database instance. In the Storage Duration configuration box, select the necessary SQL log storage duration, and choose OK to apply the changes. SQL audit logs are deleted after the selected duration. To get access to a 15-day trial version of the SQL Explorer, choose Trial Version instead of Official Edition. During the trial period, all features of the SQL Explorer service are available.
2. If your instance edition is Basic and Autonomy Services is not available in the navigation panel, access the Database Autonomy Service (DAS) console available at https://hdm.console.aliyun.com/, choose Instance Monitoring, select the MySQL tab, click on the name of the associated DAS instance, select SQL Explorer and Audit under Request Analysis, and perform one of the following actions based on the instance region:
   1. For DAS supported regions: choose Enable from the SQL Explorer and Audit section to enable SQL auditing with SQL Explorer and Audit for the selected MySQL database instance. Enabling the feature will automatically upgrade to DAS Enterprise Edition.
   2. For DAS unsupported regions: to enable SQL auditing for Basic instances provisioned within a DAS unsupported region, you must upgrade to a higher RDS instance edition such as High-Availability, Cluster, or Enterprise.

09 Repeat steps no. 6 - 8 for each each MySQL database instance provisioned in the selected region.

10 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.

01 Run ModifySQLCollectorPolicy command (OSX/Linux/UNIX) to enable SQL auditing for the selected MySQL database instance. SQL auditing requires the DAS Enterprise Edition for Database Autonomy Service (DAS). To use the ModifySQLCollectorPolicy command, you must first upgrade to DAS Enterprise Edition:

aliyun rds ModifySQLCollectorPolicy
  --DBInstanceId 'rm-abcd1234abcd1234'
  --SQLCollectorStatus Enable

02 If successful, the output should return the command request ID:

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Repeat steps no. 1 and 2 for each MySQL database instance provisioned within the selected region.

04 Perform the Remediation process for other supported Alibaba Cloud regions.