Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

DCS Data Security

Updated on 2024-12-31 GMT+08:00

Security is a shared responsibility between Huawei Cloud and you. Huawei Cloud is responsible for the security of cloud services to provide a secure cloud. As a tenant, you should properly use the security capabilities provided by cloud services to protect data, and securely use the cloud. For details, see Shared Responsibilities.

This section provides actionable guidance for enhancing the overall security of using DCS. You can continuously evaluate the security status of your DCS resources, enhance their overall security defense by combining multiple security capabilities provided by DCS, and protect data stored in DCS from leakage and tampering both at rest and in transit.

Make security configurations from the following dimensions to meet your service needs.

Protecting Data Through Access Control

Correctly use the access control capability provided by DCS to prevent your data from being stolen or damaged.

  1. Set only the minimum permissions for IAM users with different roles to prevent data leakage or misoperations caused by excessive permissions.

    To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege. For details, see Permissions Management.

  2. Configure a whitelist or security group to protect your data from abnormal reads or other operations.

    By configuring an IP address whitelist or inbound and outbound security group rules, you can control the network range for connecting to your instance and prevent exposure to untrusted third parties.

    DCS Redis 4.0/5.0/6.0 basic edition instances are controlled by whitelists. For details, see Managing IP Address Whitelist.

    DCS Redis 6.0 professional instances are controlled by security group rules. For details, see How Do I Configure a Security Group? Do not set the source to 0.0.0.0/0 in the inbound rules of a security group.

  3. Do not use high-risk commands, to prevent attackers from directly damaging Redis.

    You can rename high-risk commands to disable them if they are not used in your service. Learn more about disabled commands and commands that can be renamed.

  4. Use a non-default port to prevent scanning attacks.

    The default listening port of the Redis server is 6379, which is vulnerable to scanning attacks. You can use a port in the range from 1 to 65535. For details, see Customizing a Port.

  5. Limit the maximum number of client connections to avoid resource exhaustion and DoS risks.

    The maxclients parameter of Redis determines the maximum number of clients that can be concurrently connected to an instance. The default value is 10000, and the value can range from 1000 to 50000. Excess connection requests will be rejected.

    Set a proper client connection limit based on your application scenario. For details about how to modify the maxclients parameter, see Modifying Configuration Parameters.

  6. Limit the idle time of Redis connections based on service requirements.

    To prevent idle client connections from occupying resources for a long time, you can set the timeout parameter on the console. Client connections that remain idle for the period specified by this parameter will be closed. The default value of timeout is 0, indicating that the server does not proactively disconnect idle clients. The value ranges from 0 to 7200, in seconds.

    You are not advised to set it to 0. For example, you can set it to 3,600 seconds. For details about how to modify the timeout parameter, see Modifying Configuration Parameters.

  7. Configure a password for accessing your DCS instance to prevent unauthorized clients from operating it by mistake. In this way, clients can be authenticated for access, improving instance security.

    You can set a password when buying an instance, or reset the password of an existing instance.

  8. Use different DCS instances for different services to prevent instance faults from affecting multiple services.

Encrypting Data Before Storage

RDB and AOF persistent files in open-source Redis do not support encryption. Therefore, DCS does not support data encryption. If you have sensitive data, please encrypt it before writing it to DCS.

Data Restoration and Disaster Recovery

Build restoration and disaster recovery (DR) capabilities in advance to prevent data from being deleted or damaged by mistake in abnormal data processing scenarios.

  1. Enable automated instance backup to quickly restore data in abnormal scenarios.

    DCS instances can be backed up automatically or manually. The automated backup function is disabled by default. After it is enabled, you can restore backup data to the instance. Backup data of an instance is stored for a maximum of 7 days. For details about automated backup, see Configuring a Backup Policy.

    Manual backups are user-initiated full backups of instances. The backup data is stored in Huawei Cloud OBS buckets and removed upon deletion of the corresponding instance.

  2. Use cross-AZ replication for data DR.

    A master/standby or cluster DCS instance can be deployed within an AZ or across multiple AZs for HA. For cross-AZ deployment, DCS initiates and maintains data synchronization. High availability is achieved by having a standby node take over in the event that a failure occurs on the master node. When operations are read-heavy, you can use DCS Redis 4.0 or later instances that support read/write splitting, or cluster instances that have multiple replicas. DCS maintains data synchronization between the master and replicas. You can connect to different addresses of an instance to isolate read and write operations.

    For cross-AZ deployment, DCS initiates and maintains data synchronization. High availability is achieved by having a standby node take over in the event that a failure occurs on the master node.

Transmission Encryption with SSL

To prevent data from being stolen or damaged during transmission, use SSL encryption to access DCS.

Currently, only DCS for Redis 6.0 basic edition supports SSL encryption. You are advised to use DCS Redis 6.0 basic edition instances and enable SSL for them.

Checking for Abnormal Data Access

  1. Enable Cloud Trace Service (CTS) to record all DCS access operations for future audit.

    CTS records operations on the cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.

    After you enable CTS and configure a tracker, CTS can record management and data traces of DCS for auditing. For details, see Viewing DCS Audit Logs .

  2. Use Cloud Eye for real-time monitoring and alarm reporting on security events.

    When using DCS, you may encounter error responses from the server. Huawei Cloud provides the Cloud Eye service to automatically monitor your DCS instances in real time, generate alarms, and send notifications, so that you can learn about the requests, traffic, and error responses of your DCS instances in real time.

    Cloud Eye is enabled automatically after you create a DCS instance. For details, see DCS Metrics and Configuring DCS Monitoring and Alarms.

Using the Latest SDKs for Better Experience and Security

Upgrade SDKs to the latest version to better protect your data and DCS usage. Download the latest SDK in your desired language from SDK Overview.

Using Other Cloud Services for Additional Data Security

Ensuring DCS resource security using SecMaster

SecMaster provides you with built-in checks that are included in Cloud Security Compliance Check 1.0, DJCP 2.0 Level 3 Requirements, and Network Security, to check key configurations of DCS, generate alarms for configurations with security risks, and provide hardening suggestions and guidelines. You can use the resource management function of SecMaster to quickly learn about the DCS security status and locate security risks. For details, see Baseline Inspection Overview.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback