What security measures does RDS for MySQL have?
Network
• You can set a VPC for your RDS for MySQL instances to ensure that the instances are securely isolated from other services.
• Use security groups to ensure that access sources are trusted.
• Use SSL channels to ensure that data transfers are encrypted.
Management
You can use Identity and Access Management (IAM) to control the management permissions of the MySQL instances.
How can data transmission through an EIP be ensured?
When a database is connected through an EIP, service data will be transmitted on the public network, which is prone to be leaked. To prevent any potential data leakage, it is strongly recommended that you use the SSL channel of RDS for MySQL to encrypt the data transmitted on the public network. You can also encrypt data transmission channels using the Cloud Dedicated Access (CDA) or Virtual Private Network (VPN).
How do I prevent untrusted sources from connecting to a database?
• After you enable EIP for the database, if your EIP DNS and database port are obtained by malicious persons on the public network, they may hack your database and further destroy it. Therefore, it is strongly recommended that you protect information such as EIP DNS, database ports, database accounts, and passwords, and restrict the source IP through the security group of the RDS for MySQL instance to ensure that only trusted sources can connect to your database.
• To prevent your database password from being cracked, set a strong password according to the password policy of the RDS for MySQL instance and periodically change it.
How do I configure a security group to enable access to RDS for MySQL instances?
When you connect to an RDS for MySQL instance through an Intranet, there are two scenarios for configuring the security group:
• If the ECS and MySQL instances are in the same security group, they can communicate with each other by default. No security group rule needs to be configured.
• If the ECS and MySQL instances are in different security groups, you need to configure security group rules for them, separately. For details, see Configuring Security Group Rules.
How do I import the root certificate to a Windows or Linux operating system?
Importing the Root Certificate to a Windows Operating System:
Obtain your SSL root certificate. You can obtain this file from the SSL issuing authority or your server provider.
Go to Administrative Tools from the Start menu, and then go to the Certificate console.
On the Certificate console, expand the Trusted Root Certification Authorities folder, right-click the folder, select All Tasks, and select Import.
In the Import Wizard, click Next.
Browse to the location of your SSL root certificate file and click Next.
Confirm the certificate details and check Place all certificates in the following store.
Select Trusted Root Certification Authorities as the storage location. Click Next.
Confirm the import settings and click Finish.
Importing the Root Certificate to a Linux (CenOS) Operating System:
Obtain your SSL root certificate. You can obtain this file from the SSL issuing authority or your server provider.
At the command line, enter the following command and press Enter: sudo mkdir /usr/local/share/ca-certificates/extra.
Copy your SSL certificate to the /usr/local/share/ca-certificates/extra directory. You can copy the certificate file to this directory using the following command: sudo cp /path/to/your/certificate.crt /usr/local/share/ca-certificates/extra/.
Where /path/to/your/certificate.crt is the path and name of your certificate file.
Run the following command to update the list of certification authorities: sudo update-ca-trust extract.
You can find the certificate file you imported in the /etc/pki/ca-trust/source/anchors/ directory. You can check if the certificate has been imported successfully by running the following command: openssl verify <certificate_file>.
Where <certificate_file> is the path and filename of the certificate file you want to check. If the command outputs OK, the certificate has been successfully imported into the CentOS operating system.
² Note
If an earlier version of CentOS is being used, enable the certificate authority repository using the update-ca-trust enable command and update the certificate list using the update-ca-trust extract command.
How do I identify the validity period of an SSL root certificate?
When you connect to MySQL using an SSL connection, execute the following command to check whether the SSL root certificate has expired:
show status like '%ssl_server%';
The validity period is in the SSL_server_not_before and SSL_server_not_after ranges.
What are the possible causes of data corruption in the database?
• Data Tampering
• Some security measures are provided to ensure that only authenticated users can operate database table data and database tables can only be accessed through specified database ports.
• The primary/standby databases have the transmission packet verification function during the synchronization process, which can prevent data tampering. RDS for MySQL uses the InnoDB engine, which can prevent data corruption.
• The instance servers may be powered off suddenly, causing database page corruption and database restarting failures.
When the primary instance fails, the system switches to the standby instance within 1 to 5 minutes to continue to serve you. During the switching, the RDS for MySQL instance is not accessible. You must configure an automatic reconnection between your applications and the service to avoid the service being unavailable due to the switching.