Ensure that 'TDE' is set to 'Enabled' for applicable database instances

Via the management console

1. Open the ApsaraDB RDS instance using the Open in Alibaba menu option
2. Select the TDE tab
3. On the TDE tab, find TDE Status and click the switch next to Disabled
4. In the displayed dialog box, choose an automatically generated key or custom key, and click Confirm

Encrypt a table

For RDS for MySQL, connect to the instance and run the following command to encrypt tables.

alter table <tableName> engine=innodb, block_format=encrypted

For RDS for SQL Server, click Configure TDE, select the databases to encrypt, add them to the right, and click OK.

Decrypt data

To decrypt a MySQL table encrypted by TDE, run the following command:

alter table <tableName> engine=innodb, block_format=default

To decrypt an SQL Server table encrypted by TDE, click Configure TDE and move the database to the left.

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Alibaba Cloud

Use Resource Directory guardrails, account baselines, and IaC modules so the secure setting is applied consistently across environments.

Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.