百度智能云

All Product Document

          Relational Database Service

          RDS Security Description

          Security risk scenarios

          1. When it is discovered that a lot of abnormal IP accesses resulting in data security risk appear on the RDS instance suddenly, how to block these abnormal IP accesses and ensure access by trusted IPs?
          2. How to effectively intercept such abnormal SQL attacks when the database is subject to SQL injection attacks?
          3. How to avoid the risk of data interception and tampering during transmission?

          Security features provided by RDS

          Whitelist feature

          The IP whitelist feature provided by Baidu AI Cloud RDS allows users to control network access. The IP whitelist is effective for all connection methods (including VPC and public network connection methods) for the RDS instance. It is recommended to set the corresponding whitelist rules before you apply for a public network IP. You can add your trusted client IP or CIDR network IP address range to the whitelist. Thus, you can access the RDS only via the added IPs to ensure the security of the RDS instances.

          image_991fcc3.png

          DB firewall feature

          After you create a MySQL instance and obtain a proxy instance, you can go to the proxy instance management page to enable the DB firewall feature. With the DB firewall enabled, there are two security levels for users to choose: Alarm and block.

          Warning: The DB firewall outputs SQL injection alarm logs, but it cannot block the normal execution of the SQL. At this security level, the DB firewall can parse the SQL so that the identified injection attacks are recorded in the log. However, the SQL continues to be sent to the MySQL instance for execution. The user can query the identified SQL injection on the SQL injection query page. The user can sort out the SQL injection and add the misreported SQL that the users identify to the SQL whitelist;

          Block: The DB firewall outputs the SQL injection blocking log, and the SQL identified as an injection is blocked and cannot be sent to the MySQL instance. Users can also query the intercepted SQL through the SQL injection query page. Users can set the security level according to actual business scenarios.

          image_345b9ba.png

          SSL encryption feature

          In the process of access to the public network, the data transmission may have the risk of data interception and tampering. To improve link security, you can enable the SSL encryption and install the SSL CA certificate to the required application services. SSL encrypts the network connection at the transmission layer, which ensures the security and integrity of the data during the transmission and reduces your concerns about the security of the data transmission. However, the SSL encryption protocol extends the response time of the network connection and increases the load of the Baidu AI Cloud database RDS. Currently, the SSL encryption service is only available for the dual-compute high-availability version of the Baidu AI Cloud database RDS for MySQL 5.7.

          image_169742d.png

          Previous
          Data Migration
          Next
          Operation Guide