ELB Security Best Practices
- Use identity credentials properly to improve account security.
No matter whether you access ELB resources through the console or APIs, you are required to provide identity credentials for validity verification. In addition, login and login authentication policies are provided to enhance identity authentication security. With Identity and Access Management (IAM), ELB supports four identity authentication methods: username and password, access key, temporary access key, and access code. In addition, Login Protection and Login Authentication Policy are provided.
- Use a temporary AK/SK.
When you use ELB APIs or SDKs to query resources like metrics and alarms, identity authentication is required to ensure the confidentiality, integrity, and correctness of requests. You are advised to configure an IAM agency to obtain a temporary access key, or directly configure temporary AK/SKs for your applications or cloud services. Temporary AK/SKs will expire after a short period, which reduces data leakage risks. For details, see Temporary Access Keys and Obtaining Temporary Access Keys and Security Tokens of an Agency.
- Periodically change permanent access keys.
- Regularly change your username and password and avoid weak passwords.
Regularly resetting passwords is one important measure to enhance system and application security. This practice not only lowers the chances of password exposure but also helps you meet compliance requirements, mitigate internal risks, and boost your security awareness. Also, complex passwords are recommended to reduce risks. For details, see Password Policy.
- Use a temporary AK/SK.
- Assign different API management permissions to different users.
For details about ELB API permission management, see ELB Permissions and Permissions and Supported Actions.
- Disable private_key_echo through the API.
Before using the HTTPS or TLS listeners of ELB, you need to upload your certificates to ELB. Users can call APIs to query the certificates and private keys. Improperly assigned certificate API permissions can expose private keys, which may leave attackers the chances to intercept and forge data. To avoid these risks, you can:
- Disable private_key_echo.
You can call this API to disable this option.
- Restrict API permissions.
The certificate owner disables private_key_echo through the API first.
Then create a custom policy as below on the IAM console:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "elb:certificates:setPrivateKeyEcho" ] } ] }
- Disable private_key_echo.
- Enable access control for listeners.
You can add IP addresses to a whitelist or blacklist to control access to a listener.
A whitelist allows the specified IP addresses to access the listener.
A blacklist denies access from specified IP addresses.
For details, see What Is Access Control?
- Redirect HTTP requests to HTTPS listeners to improve service security.
You can use ELB to redirect HTTP requests to an HTTPS listener to improve your service security.
- Use HTTPS mutual authentication and custom TLS security policies for services requiring high security.
- Mutual authentication
In common HTTPS service scenarios, only the server certificate is required for authentication. For some mission-critical services, mutual authentication between the server and the client is required.
In this case, you need to deploy both the server certificate and client certificate. For details, see Configuring Mutual Authentication When Adding an HTTPS Listener.
- Custom TLS security policies
HTTPS encryption is commonly used for applications that require encrypted data transmission. ELB allows you to use common TLS security policies to secure data transmission.
When you add an HTTPS listener, you can select the default security policies or create a custom policy to improve service security. A security policy is a combination of TLS protocols of different versions and supported cipher suites. For details, see TLS Security Policy.
- Mutual authentication
- Enable CTS to record operations on ELB for auditing.
Cloud Trace Service (CTS) is a log audit service for Huawei Cloud security. It allows you to collect, store, and query cloud resource operation records. You can use these records to perform security analysis, audit compliance, track resource changes, and locate faults.
After CTS is enabled, it can record ELB operations.
- If you want to enable and configure CTS, refer to CTS Getting Started.
- For details about ELB operations recorded by CTS, see Key Operations Recorded by CTS.
- If you want to view traces, refer to Viewing Traces.
- Create alarm rules to monitor key metrics of ELB to avoid server overloading.
Cloud Eye can monitor resources, resource groups, and websites, and timely report alarms to help you keep track of your resource usages and service status on the cloud.
With Cloud Eye, you can dynamically analyze potential risks by viewing the network traffic and error logs of ELB during selected period of time.
For details about the monitoring metrics supported by ELB and how to create alarm rules, see Monitoring ELB Resources.
For details about how to configure alarms for ELB resources, see Using Cloud Eye to Monitor ELB Resources.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot