Migliora la sicurezza dell'istanza abilitando il controllo dei database
Mantieni tutto organizzato con le raccolte
Salva e classifica i contenuti in base alle tue preferenze.
Questa pagina descrive come attivare l'audit del database in AlloyDB, come funziona il consigliere per l'audit del database e come puoi utilizzarlo.
Il suggeritore per il controllo del database AlloyDB ti aiuta a rilevare le istanze di produzione per le quali il controllo non è abilitato. Fornisce quindi consigli per abilitare il controllo dei database.
Prima di iniziare
Prima di poter visualizzare consigli e approfondimenti, procedi nel seguente modo:
Per ottenere le autorizzazioni per visualizzare e utilizzare approfondimenti e consigli,
assicurati di disporre dei ruoli Identity and Access Management (IAM) necessari.
Nella scheda Sicurezza, fai clic su Controllo non abilitato.
Viene visualizzato un elenco di cluster con istanze a cui si applica il suggerimento Audit non abilitato.
Interfaccia a riga di comando gcloud
Per elencare i suggerimenti per l'attivazione dell'audit del database utilizzando gcloud CLI, esegui il comando gcloud recommender recommendations list come segue:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_DATABASE_AUDITING
Sostituisci quanto segue:
PROJECT_ID: il tuo ID progetto.
LOCATION: una regione in cui si trovano le istanze, ad esempio us-central1.
Visualizzare approfondimenti e consigli dettagliati
Puoi visualizzare approfondimenti e consigli dettagliati sulle istanze
che richiedono l'attivazione dell'audit del database utilizzando la console Google Cloud ,
gcloud CLI o l'API Recommender.
Console
Nella pagina Cluster, fai clic sul suggerimento per un'istanza nella colonna Problemi.
Viene visualizzato il riquadro dei suggerimenti, che contiene approfondimenti e suggerimenti dettagliati.
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED
Sostituisci quanto segue:
PROJECT_ID: il tuo ID progetto.
LOCATION: una regione in cui si trovano le istanze, ad esempio us-central1.
Applica il consiglio.
Valuta attentamente il consiglio e procedi in uno dei seguenti modi:
Console
Per implementare il consiglio, segui le istruzioni riportate in Attivare pgAudit.
Interfaccia a riga di comando gcloud
Per implementare il consiglio, segui le istruzioni riportate in Attivare pgAudit.
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-05 UTC."],[[["\u003cp\u003eThis page provides information on how to use the AlloyDB database auditing recommender to identify and address instances where auditing is not enabled, enhancing security.\u003c/p\u003e\n"],["\u003cp\u003eThe database auditing recommender analyzes production instances daily to detect if auditing is disabled and offers suggestions to enable it.\u003c/p\u003e\n"],["\u003cp\u003eRecommendations can be viewed and managed through the Google Cloud console, \u003ccode\u003egcloud CLI\u003c/code\u003e, or the Recommender API by ensuring the Recommender API is enabled and appropriate IAM roles are in place.\u003c/p\u003e\n"],["\u003cp\u003eTo apply the recommendations, users must follow the steps in the \u003ca href=\"/alloydb/docs/pgaudit/enable-audit\"\u003eEnable pgAudit\u003c/a\u003e guide, which might impact pricing due to increased logging and will restart the instance.\u003c/p\u003e\n"],["\u003cp\u003eThe service may contain "Pre-GA" features that are available "as is" and may have limited support, and that the service is also subject to personal data processing terms.\u003c/p\u003e\n"]]],[],null,["# Improve instance security by enabling database auditing\n\nThis page describes how to enable database auditing in AlloyDB, how the database auditing [recommender](/recommender/docs/overview) works, and how you can use it.\n\nThe AlloyDB database auditing recommender helps you detect production instances whose auditing is not enabled. It then provides recommendations to enable database auditing.\n| **Note:** Recommendations are generated daily.\n\nBefore you begin\n----------------\n\nBefore you can view recommendations and insights, do the following:\n\n- Ensure that you [enable the Recommender API](/recommender/docs/enabling).\n\n- To get the permissions to view and work with insights and recommendations,\n ensure that you have the required [Identity and Access Management (IAM) roles](/iam/docs/understanding-roles#cloud-alloydb-roles).\n\n \u003cbr /\u003e\n\n See [Grant access to other users](/alloydb/docs/user-grant-access) for more information.\n\nList the recommendations\n------------------------\n\nYou can list the enable database auditing recommendations\nusing the Google Cloud console, `gcloud CLI`, or the Recommender API. \n\n### Console\n\n1. In the Google Cloud console, go to the **Clusters** page.\n\n [Go to Clusters](https://console.cloud.google.com/alloydb/clusters)\n\n For more information, see\n [Find recommendations with Recommendation Hub](/recommender/docs/recommendation-hub/identify-configuration-problems).\n2. In the **Security** card, click **Auditing not enabled**.\n\n A list of clusters with instances to which the **Auditing not enabled** recommendation applies is displayed.\n\n### gcloud CLI\n\nTo list the enable database auditing recommendations using gcloud CLI, run the [`gcloud recommender recommendations list`](/sdk/gcloud/reference/recommender/recommendations/list) command as follows: \n\n```\ngcloud recommender recommendations list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--recommender=google.alloydb.instance.SecurityRecommender \\\n--filter=recommenderSubtype=ENABLE_DATABASE_AUDITING\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\n### API\n\nTo list enable database auditing recommendations using the [Recommendations API](/recommender/docs/using-api), call the\n[`recommendations.list`](/recommender/docs/reference/rest/v1/projects.locations.recommenders.recommendations/list)\nmethod as follows: \n\n```\nGET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_DATABASE_AUDITING\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\nView insights and detailed recommendations\n------------------------------------------\n\nYou can view insights and detailed recommendations about instances\nthat require enabling database auditing using the Google Cloud console,\n`gcloud CLI`, or the Recommender API. \n\n### Console\n\nOn the **Clusters** page, click the recommendation for an instance in the **Issues** column.\nThe recommendation panel appears, which contains insights and detailed recommendations.\n\n### gcloud CLI\n\nRun the [`gcloud recommender insights list`](/sdk/gcloud/reference/recommender/insights/list) command as follows: \n\n```\n\ngcloud recommender insights list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--insight-type=google.alloydb.instance.SecurityInsight \\\n--filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED\n\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e : A region where your instances are located, such as `us-central1`.\n\n### API\n\nCall the [`insights.list`](/recommender/docs/reference/rest/v1/projects.locations.insightTypes.insights/list) method as follows: \n\n```\nGET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\nApply the recommendation\n------------------------\n\nEvaluate the recommendation carefully and do any of the following: \n\n### Console\n\nTo implement the recommendation, follow instructions in [Enable pgAudit](/alloydb/docs/pgaudit/enable-audit).\n\n### gcloud CLI\n\nTo implement the recommendation, follow instructions in [Enable pgAudit](/alloydb/docs/pgaudit/enable-audit).\n| **Note:** AlloyDB automatically restarts the instance after you update this flag.\n| **Note:** You must carefully evaluate before you update the instance. Applying recommendations might impact your pricing due to more logging.\n\nWhat's next\n-----------\n\n- [Google Cloud recommenders](/recommender/docs/recommenders)"]]