Suggestions on AOM Security Configuration
Security is a shared responsibility between Huawei Cloud and you. Huawei Cloud ensures the security of cloud services. As a tenant, you should take advantage of the security capabilities provided by Huawei Cloud to protect your data and use the cloud securely. For details, see Shared Responsibilities.
This section provides guidance for enhancing the overall security of AOM. You can continuously evaluate the security of AOM and combine different security capabilities to enhance overall defense. By doing this, data stored in AOM can be protected from leakage and tampering both at rest and in transit.
Consider the following aspects for your security configurations:
- Managing Your Identity Authentication Information to Prevent Data Leaks
- Enhancing Permissions Management and Improving Access Control
- Enabling CTS to Record AOM Operations
- Enabling Prometheus HA of the Cloud Native Cluster Monitoring Add-on
- Keeping Data in Transit Safe
- Using the Latest SDKs for Better Experience and Security
- Protecting Sensitive Data
Managing Your Identity Authentication Information to Prevent Data Leaks
Present your identity credential and undergo identity authentication no matter whether you access AOM through the console, by calling APIs, or using SDKs. In addition, login protection and login authentication policies are provided to harden identity authentication security. AOM works with Identity and Access Management (IAM) to support four identity authentication methods: username and password, access key, temporary access key, and access code. It also provides login protection and login authentication policies.
- Using a temporary AK/SK
When resources such as metrics and alarms are queried using AOM APIs or SDKs, identity credential authentication is required. This ensures request confidentiality, integrity, and requester identity correctness. You are advised to configure an IAM agency to obtain temporary AK/SKs, or directly configure temporary AK/SKs for your applications or cloud services. Temporary AK/SKs will expire after a short period, which reduces data leakage risks. For details, see Temporary Access Key and Obtaining Temporary Access Keys and Security Tokens of an Agency.
- Regularly changing a permanent AK/SK
If you use a permanent AK/SK, change it regularly and encrypt it for storage to prevent data leakage. For details, see Access Keys.
- Regularly changing an access code
When you install ICAgent through UniAgent, an access code is needed for authentication. Also, the access code serves as the credential for calling APIs and Prometheus instances. Therefore, regularly change the access code to reduce data leakage risks. For details, see Managing Access Codes.
- Regularly changing your username and password and avoiding weak passwords
Regularly resetting passwords is a key measure to enhance system and application security. This practice lowers the chances of password exposure and helps you meet compliance requirements, mitigate internal risks, and boost security awareness. Also, use complex passwords to reduce risks. For details, see Password Policy.
Enhancing Permissions Management and Improving Access Control
To assign different permissions to employees in your enterprise to access AOM resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your AOM resources. You can set system-defined permissions or fine-grained permissions for least privilege access. For details, see Permissions Management.
Enabling CTS to Record AOM Operations
Cloud Trace Service (CTS) is a professional log audit service for Huawei Cloud security solutions. It enables you to collect, store, and query resource operation records (traces). You can use these traces to perform security analysis, track resource changes, audit compliance, backtrack problems, and locate faults.
After you enable CTS and configure a tracker, CTS records AOM operations for auditing. For details, see Querying AOM Traces.
Enabling Prometheus HA of the Cloud Native Cluster Monitoring Add-on
If you use CCE's Cloud Native Cluster Monitoring add-on to collect metrics, enable the Prometheus HA function so that collection components can be deployed in multi-instance mode. In HA mode, multiple data copies are reported, improving disaster recovery capabilities. For details, see Cloud Native Cluster Monitoring.
Keeping Data in Transit Safe
You are advised to use HTTPS to access AOM. This protects the integrity and confidentiality of data transmitted between clients and servers, preventing data theft or damage during transmission.
Using the Latest SDKs for Better Experience and Security
Use the latest AOM SDKs to better protect your data. For details, see SDK Overview.
Protecting Sensitive Data
- During the reporting of custom metrics, do not include sensitive information in the metric structure to reduce data leakage.
- During the installation of UniAgent and ICAgent on Linux hosts, the history recording function is disabled. Therefore, your AK/SK and access code cannot be viewed by running commands. Additionally, credentials are encrypted for storage to prevent leaks.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot