Help Center/ Application Performance Management/ Best Practices(2.0)/ Suggestions on APM Security Configuration
Updated on 2025-03-27 GMT+08:00

Suggestions on APM Security Configuration

This section provides guidance for enhancing the overall security of APM. You can continuously evaluate the security of APM and combine different security capabilities to enhance overall defense. By doing this, stored data can be protected from leakage and tampering both at rest and in transit.

Consider the following aspects for your security configurations:

Properly Using APM Access Keys and Encrypting Them

  1. Keeping APM access keys secure and changing them regularly

    Access Key ID (AK) and Secret Access Key (SK) are your long-term identity credentials. Agents report data with an AK. An AK is used together with an SK to sign requests cryptographically, ensuring that the requests are secret, complete, and correct. Keep your access keys secure. You can also create, delete, and disable access keys on the Access Keys page.

  2. Using custom functions to encrypt authentication information

    To better protect your identity authentication information, APM supports custom encryption for keys. You can customize a function to encrypt an AK/SK and place the decryption function in the specified directory of an Agent. When a service is started, the Agent uses the custom decryption function to parse the key, protecting privacy and preventing identity authentication information leakage. For details, see Access Keys.

Granting User Permissions Using Access Control Capabilities

  1. Granting IAM users with different roles to prevent data leakage or misoperations caused by excessive permissions

    To better isolate and manage permissions, you are advised to configure independent IAM administrators and grant them permissions to manage IAM policies. An IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege. For details, see Login Protection and Login Authentication Policy.

  2. Using enterprise projects to isolate services logically

    After creating IAM user groups for employees, you can create enterprise projects on the Enterprise Management console and grant permissions to the user groups in the enterprise projects to implement personnel authorization and permission control. You can create enterprise projects. Then you can manage resources across different regions by enterprise project, grant different permissions to user groups, and add them to enterprise projects. For details, see Creating a User and Granting Permissions.

Protecting Privacy and Sensitive Information Through Data Masking

When a service request includes sensitive information, you are advised to use the data masking function. On the data masking page, create masking configurations for your components. The platform will then replace sensitive information in traces with a globally unique random character string (Hash code mode) or a fixed number of asterisks (*) (Mask mode). After the configuration takes effect, you can go to the tracing page to view the trace details.

Using the Latest Agent for Better Monitoring Experience and Security Capabilities

Regularly update your Agent versions for better monitoring experience and security capabilities. To download the latest Agent, see JavaAgent Updates.