CSMS Best Practices

Huawei Cloud and you share the responsibility for security. Huawei Cloud ensures the security of cloud services for a secure cloud. As a tenant, you should utilize the security capabilities provided by cloud services to protect data and use the cloud securely. For details, see Shared Responsibilities.

This section provides actionable guidance for enhancing the overall security of CSMS. With this guide, you can continuously evaluate the security status of CSMS, improve the overall CSMS security defense capabilities, and protect data during storage and transmission from being leaked or tampered with.

Consider the following aspects for your security configurations:

• Strengthen permission management to reduce related risks.

  If the secret resources configured in the custom policy are not limited, the user with the authorization can manage all secrets, which does not meet the minimum security control requirements. You can set Select resource and enter the secret name to be authorized by referring to Creating a User and Authorizing the User the Permission to Access DEW. In this way, the policy takes effect only for specified secret.

• Complete secret management configurations to reduce secret leakage risks.
  1. Configure a rotation function to rotate secrets periodically.

     Password leakage is more likely to occur if the same password is used for a long time. Use FunctionGraph and CSMS to automatically rotate the managed passwords. In this way, passwords of high security can be generated periodically.

  2. Enable operation protection.

     If the secret contains sensitive information, enable operation protection to reduce information leakage risks caused by unauthorized operations.

  3. Enable event notification to view the rotation status in time.

     You can create and enable event notification to check whether the secret is rotated in time, reducing secret leakage risks caused by rotation failure.