APIG Security Best Practices
Security is a shared responsibility between Huawei Cloud and you. Huawei Cloud is responsible for the security of cloud services. As a tenant, you need to properly use the security capabilities provided by cloud services to protect data. For details, see .Shared Responsibility.
This document provides security best practices for APIG to improve overall security capabilities. By following this guide, you can continuously assess the security status, effectively integrate various security features of APIG, and ensure data stored in APIG is not leaked or tampered with, while also safeguarding data transmission.
Make security configurations from the following dimensions to meet your service needs.
Identity Authentication and Access Control
- APIG provides API authentication, including app authentication, IAM authentication, and custom authorizer.
- In IAM authentication scenarios, the token expiration time is determined by IAM when you call APIs using a token. For details, see Obtaining a User Token Through Password Authentication.
- In app authentication or IAM authentication scenarios, the signature is valid for 15 minutes when an API is called using the AK/SK.
- APIG provides API access control policies. You can set the IP address or account blacklist or whitelist to forbid or allow an IP address, account name, or account ID to access APIs.
- APIG supports gateway access control policies. You can configure blacklists and whitelists to allow or deny access from specific IP addresses to gateways.
DDoS Protection
- Request throttling
- APIG provides request throttling and request throttling 2.0 policies for API traffic management.
- APIG provides request throttling for gateways. You can configure the ratelimit_api_limits parameter to set the default request throttling policy for APIs.
- APIG provides request size control for gateways. You can set the request_body_size parameter to specify the maximum body size in a request.
- APIG can interconnect with WAF to defend against attacks. For details, see Using WAF to Protect APIG.
Data Transmission Security
- APIG allows you to create HTTP/HTTPS APIs. By default, HTTPS is used.
- APIG supports TLS 1.1 and TLS 1.2. TLS 1.2 is recommended. For details, see the parameter Minimum TLS Version in Configuring the Domain Name for Calling APIs.
- APIG supports secure cipher suites by default. You can set the ssl_ciphers parameter to select a cipher suite.
- APIG supports TLS two-way authentication between APIG and clients (for details, see Configuring One-Way or Two-Way Authentication Between the Dedicated Gateway and Client) and between APIG and backend services (for details, see the parameter Two-Way Authentication in Creating an API).
Audit and Logs
- By default, APIG uses CTS to record API execution logs. You can view the latest operation logs of tenants on the CTS console. For details, see Audit and Logs.
- APIG can be integrated with LTS. You are advised to enable log analysis on the APIG console to quickly obtain and analyze API call logs. For details, see Viewing API Call Logs.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
