CBR Security Best Practices
Huawei Cloud and you share the responsibility for security. Huawei Cloud ensures the security of cloud services. As a tenant, you should take advantage of the security capabilities provided by Huawei Cloud to protect your data and use the cloud securely. For details, see Shared Responsibilities.
This section provides actionable guidance for enhancing the overall security of CBR. This document helps you evaluate the security status of CBR resources and better use the CBR security capabilities together.
Consider the security configurations from the following aspects:
Properly Managing Security Credentials to Prevent Data Leaks
Periodically change the AK/SK credentials and store them in encrypted form to prevent data leaks caused by plaintext credentials being exposed. For details, see CBR Authentication.
Using Access Control to Prevent Backup Data from Being Disclosed or Deleted Mistakenly
- Grant IAM users only the minimum permissions necessary for common CBR operations and system functions to prevent data leakage or accidental deletion due to excessive privileges. For details, see CBR Permissions Management.
- Enable critical operation protection to enable the system to authenticate users when they attempt to perform critical operations, such as deleting backups, to further ensure the security of CBR configurations and data. For more information, see Critical Operation Protection.
Using the Data Protection Capability Provided by CBR to Protect Backup Data
- Backup data encryption: If a disk you want to back up is encrypted, the backups generated for this disk will also be encrypted. When such a backup is used to restore data, the encrypted data will first be decrypted and then restored to the target disk.
- Cross-region replication: allows you to automatically and asynchronously replicate backups from one region to a replication vault in a different region based on a replication policy. The cross-region disaster recovery capabilities can cater to your needs for remote backup.
- Backup locking: sets backup data to a write-once-read-many (WORM) state. After this function is enabled, all backups in the vault enter a WORM state. No one can delete the backups that are in the WORM state.
Auditing Operation Logs to Identify Abnormal Access
- Enable Cloud Trace Service (CTS) to record all access operations.
CTS is a log audit service intended for Huawei Cloud security. It allows you to collect, store, and query cloud resource operation records. You can use these records to track resource changes, analyze security compliance, and locate faults.
After you enable CTS and configure a tracker, CTS can record management and data traces of CBR for auditing. For details, see Auditing and Logging.
- Use Cloud Eye for real-time monitoring.
Cloud Eye is a comprehensive platform to monitor a variety of cloud resources such as ECS and bandwidth usage. It monitors the resource utilization, tracks the running of cloud services, alerts you of any potential issues, and enables you to quickly respond to abnormalities.
Enable Cloud Eye to monitor the vaults and backups in your account. For details, see Auditing and Logging.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
