Security Best Practices
Security is a shared responsibility between Huawei Cloud and yourself. Huawei Cloud ensures the security of cloud services for a secure cloud. As a tenant, you should utilize the security capabilities provided by cloud services to protect data and use the cloud securely. For details, see Shared Responsibilities.
This section provides actionable guidance for enhancing the overall security of CSE. You can continuously evaluate the security status of your CSE resources and combine multiple security capabilities provided by CSE to enhance their overall security defense and prevent data leakage and tampering during transmission.
Consider the following aspects for your security configurations:
- Using CSE Access Control to Minimize Permissions
- Using CSE Identity Authentication to Authenticate Access
- Using CSE Namespaces to Isolate Configurations or Services of Different Projects or Environments
- Using CSE Whitelist to Restrict Access IP Addresses
- Enabling CTS to Record All CSE Access Operations
Using CSE Access Control to Minimize Permissions
New Identity and Access Management (IAM) users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the user group and can perform specified operations on cloud services.
You can grant users permissions by using roles and policies.
- Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. IAM provides a limited number of roles for permissions management. Different services often depend on other services, so these dependencies must be considered when assigning roles. However, roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.
For details about CSE permissions, see Permissions Management.
Using CSE Identity Authentication to Authenticate Access
CSE can use role-based access control (RBAC) for authentication.
You can use an account associated with the admin role to create an account and associate a proper role with the account based on service requirements. Users who use this account have the permissions to access and perform operations on the microservice engine. For details, see Permission Control Overview.
Using CSE Namespaces to Isolate Configurations or Services of Different Projects or Environments
Namespaces isolate resources in different environments. For example, resources (such as configurations and services) in the development and test environments are isolated from those in the production environment. Different namespaces can have the same group or data ID. For details, see Namespace Management.
Using CSE Whitelist to Restrict Access IP Addresses
You can configure an engine access whitelist to allow only IP addresses in the whitelist to access the engine, further enhancing the security of engine instances. For details, see Managing the Engine Whitelist.
Enabling CTS to Record All CSE Access Operations
Cloud Trace Service (CTS) records operations on the cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.
After you enable CTS and configure a tracker, CTS records management traces of CSE for auditing. For details, see Key CSE Operations Recorded by CTS.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
