Enable SQL Auditing for PostgreSQL Database Instances

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Select the cloud region where your RDS instances reside from the top navigation bar:

1. For the following cloud regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Zhangjiakou), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta), SQL auditing is managed by the SQL Explorer and Audit feature. SQL Explorer and Audit is an upgrade to SQL Explorer and requires the DAS Enterprise Edition for Database Autonomy Service (DAS). These regions will be referred to as DAS supported regions.
2. For all regions other than the preceding regions, SQL auditing is managed by the SQL Explorer feature (formerly SQL Audit). These regions will be referred to as DAS unsupported regions.

05 Click on the filter icon in the Database Engine column, select PostgreSQL, and choose OK to list only the PostgreSQL database instances available in the selected region.

06 Click on the ID (link) of the database instance that you want to examine, listed in the Instance ID/Name column.

07 In the Basic Information section, check the Type and Edition attribute value to determine the RDS instance edition configured for the selected database instance.

08 Based on the RDS instance edition used by your database instance, perform one of the following actions:

1. If your instance edition is High-Availability, Cluster, or Enterprise, perform one of the following checks based on the instance region:
   1. For DAS supported regions: choose SQL Explorer and Audit under Autonomy Services, and check for the SQL Explorer and Audit dashboard. If the dashboard is not available, instead a Getting Started page with an Enable button is displayed, SQL auditing with the SQL Explorer and Audit feature is not enabled for the selected PostgreSQL database instance.
   2. For DAS unsupported regions: choose Data Security, select the SQL Audit tab, and check for the SQL Explorer dashboard. If the dashboard is not available, instead the following message is displayed: SQL audit is disabled. You must enable the feature, SQL auditing with SQL Explorer is not enabled for the selected PostgreSQL database instance.
2. If your instance edition is Basic and SQL Explorer and Audit is not available under Autonomy Services, choose Data Security, select the SQL Audit tab, and check for the SQL Explorer dashboard based on the instance region:
   1. For DAS supported regions: if the dashboard is not available, instead the following message is displayed: SQL audit is disabled. You must enable the feature, SQL auditing with the SQL Explorer and Audit feature is not enabled for the selected PostgreSQL database instance.
   2. For DAS unsupported regions: if the dashboard is not available, instead the following message is displayed: SQL audit is disabled. You must enable the feature, SQL auditing with SQL Explorer is not enabled for the selected PostgreSQL database instance.

09 Repeat steps no. 6 - 8 for each PostgreSQL database instance available in the selected region.

10 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

01 Run DescribeDBInstances command (OSX/Linux/UNIX) with custom output filters to list the ID of each PostgreSQL database instance available within the specified region:

aliyun rds DescribeDBInstances
  --RegionId 'eu-west-1'
  --Engine PostgreSQL
  --output cols=Items.DBInstance[].DBInstanceId

02 The command output should return a list with the requested RDS instance identifiers:

Items.DBInstance[].DBInstanceId
-------------------------------
[pgm-abcd1234abcd1234]
[pgm-1234abcd1234abcd]

03 Run DescribeSQLCollectorPolicy command (OSX/Linux/UNIX) with the name of the PostgreSQL database instance that you want to examine as the identifier parameter, to determine if SQL auditing is enabled for the selected RDS instance:

aliyun rds DescribeSQLCollectorPolicy
  --DBInstanceId 'pgm-abcd1234abcd1234'
  --output cols=SQLCollectorStatus

04 The command output should return the requested feature status:

SQLCollectorStatus
------------------
Disabled

05 Repeat steps no. 3 and 4 for each PostgreSQL database instance available within the selected region.

06 Change the cloud region using the --RegionId parameter and perform the Audit process for other regions.

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Select the cloud region where your RDS instances reside from the top navigation bar:

1. For the following cloud regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Zhangjiakou), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta), SQL auditing is managed by the SQL Explorer and Audit feature. SQL Explorer and Audit is an upgrade to SQL Explorer and requires the DAS Enterprise Edition for Database Autonomy Service (DAS). These regions will be referred to as DAS supported regions.
2. For all regions other than the preceding regions, SQL auditing is managed by the SQL Explorer feature (formerly SQL Audit). These regions will be referred to as DAS unsupported regions.

05 Click on the filter icon in the Database Engine column, select PostgreSQL, and choose OK to list only the PostgreSQL database instances available in the selected region.

06 Click on the ID (link) of the database instance that you want to configure, listed in the Instance ID/Name column.

07 In the Basic Information section, check the Type and Edition attribute value to determine the RDS instance edition configured for the selected database instance.

08 Based on the RDS instance edition used by your database instance, perform one of the following actions:

1. If your instance edition is High-Availability, Cluster, or Enterprise, perform one of the following actions based on the instance region:
   1. For DAS supported regions: select SQL Explorer and Audit under Autonomy Services and choose Enable from the SQL Explorer and Audit section to enable SQL auditing with SQL Explorer and Audit for the selected PostgreSQL database instance. On the DAS Professional Edition page, select Professional Edition, choose Buy Now, select I have read and agree to DAS Professional Edition Agreement of Service, and choose Pay to complete the upgrade process. You can also upgrade to DAS Enterprise Edition using the (Database Autonomy Service (DAS) console)(https://hdm.console.aliyun.com/).
   2. For DAS unsupported regions: choose Data Security, select the SQL Audit tab, and choose Enable SQL Auditing. Select OK to enable SQL auditing with SQL Explorer for the selected PostgreSQL database instance.
2. If your instance edition is Basic and SQL Explorer and Audit is not available under Autonomy Services, choose Data Security, select the SQL Audit tab, and perform one of the following actions based on the instance region:
   1. For DAS supported regions: choose Enable SQL Auditing and select OK to enable SQL auditing with SQL Explorer and Audit for the selected PostgreSQL database instance. SQL auditing requires the DAS Enterprise Edition for Database Autonomy Service (DAS). You can upgrade to DAS Enterprise Edition using the (Database Autonomy Service (DAS) console)(https://hdm.console.aliyun.com/).
   2. For DAS unsupported regions: choose Enable SQL Auditing and select OK to enable SQL auditing with SQL Explorer for the selected PostgreSQL database instance.

09 Repeat steps no. 6 - 8 for each each PostgreSQL database instance provisioned in the selected region.

10 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.

01 Run ModifySQLCollectorPolicy command (OSX/Linux/UNIX) to enable SQL auditing for the selected PostgreSQL database instance. SQL auditing requires the DAS Enterprise Edition for Database Autonomy Service (DAS). To use the ModifySQLCollectorPolicy command, you must first upgrade to DAS Enterprise Edition:

aliyun rds ModifySQLCollectorPolicy
  --DBInstanceId 'pgm-abcd1234abcd1234'
  --SQLCollectorStatus Enable

02 If successful, the output should return the command request ID:

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Repeat steps no. 1 and 2 for each PostgreSQL database instance provisioned within the selected region.

04 Perform the Remediation process for other supported Alibaba Cloud regions.