Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Security Best Practices

Updated on 2025-02-13 GMT+08:00

Security is a shared responsibility between Huawei Cloud and you. Huawei Cloud is responsible for the security of cloud services to provide a secure cloud. As a tenant, you should properly use the security capabilities provided by cloud services to protect data, and securely use the cloud. For details, see Shared Responsibilities.

This section provides actionable guidance for enhancing the overall security of using DRS for data migration. You can continuously evaluate the security status of your DRS tasks for secure data migration and enhance their overall security defense. By doing this, only the minimum permissions required for business can be assigned, and data can be protected from leakage and tampering both in transmission.

Make security configurations from the following dimensions to meet your business needs.

Using Fine-Grained Authorization to Control the Usage Scope of DRS Resources

  1. Set only the minimum permissions for IAM users with different roles to prevent data leakage or misoperations caused by excessive permissions.

    To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege.

  1. Fine-grained authorization is recommended to enable fine-grained control on user permissions.

    Fine-grained policies define permissions by APIs. You are advised to create a custom policy based on your DRS operation permissions.

Using Secure and Reliable Networks and Encrypted Transmission Protocols

  1. You are advised to use a secure network, such as a VPN, for data synchronization.

    Do not use an EIP network if possible. Instead, use a secure network, such as a VPN, for data transmission. Configure firewalls, security groups, and ACL rules to reduce the attack surface and improve the network security for data synchronization.

  2. The certificate+SSL connection mode is recommended.

    The certificate+SSL mode is a secure connection mode. It protects the integrity and confidentiality of data during transmission, but slightly affects the read and write performance of the database. In certain scenarios that are sensitive to synchronization performance, you need to balance performance and security.

Using Network Access Control to Isolate the Network for Data Synchronization

Firewalls, Access Control List (ACL) rules, and security groups are used for network access control to effectively control the network range for DRS to access databases and isolate the network for data synchronization from other networks, ensuring DRS task security.

Configuring Independent Database Migration Users and Assigning the Minimum Permissions

If you migrate data as user root or other service users, permission control may be disordered and permission leakage may occur. When creating a DRS task, you are advised to create independent migration accounts for the source and destination databases and grant the minimum permissions to the migration accounts by referring to the user guide to reduce the risk of account and permission leaks.

Creating HA Tasks to Improve Service Availability

DRS provides the cross-AZ HA. If the instance in the primary AZ becomes faulty, services can be switched over to the instance in the standby AZ to continue data replication.

Properly Using Authentication Credentials to Prevent Data Leaks

When you use code or API Explorer to call APIs, you need to obtain a token using the account password or AK/SK information. You need to comply with the secure encoding rules, properly manage authentication credentials, and do not hardcode authentication information in plaintext.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback