Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ Best Practices/ Security Best Practices in IAM
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Security Best Practices in IAM

Use IAM Identity Center to Centrally Manage Human-Machine Users with Identity Federation

Huawei Cloud users can be administrators, developers, and application users (such as business analysts and data analysts). They use the CLI, console, or client applications to access Huawei Cloud. They are members of your enterprise or organization. They can also be users outside the enterprise or organization. They must have identity credentials to access Huawei Cloud. You are advised to use IAM Identity Center to manage these users. The benefits are as follows:

  • Centrally manage users: Any changes of the enterprise or organization members can be maintained only in one system.
  • Centrally manage user credentials: You do not have to create or maintain passwords in different systems.
  • Reduce the number of identity systems: You can manage user identities from an identity provider.
  • Simplify audit: A single identity source makes audit easy.

Use Temporary Access Keys with IAM Agencies or Trust Agencies to Allow Machine-Machine Users to Access Huawei Cloud

Using temporary access keys is a security best practice because they have a limited lifetime and automatically expire. You do not need to rotate them periodically or delete them when they are no longer needed. You are advised to use IAM agencies or trust agencies to issue temporary credentials rather than permanent access keys of IAM users to machine-machine accounts.

Do Not Write Access Keys into Code

If you use APIs, CLI, or SDKs to access cloud services, do not write your access keys into the code.

Create Individual IAM Users

If someone needs to access resources in your account, do not share your password with them. Instead, create an individual IAM user for them and grant required permissions to the IAM user. You can also create an IAM user for yourself, grant the IAM user administrator permissions, and perform routine management using the IAM user.

Set Appropriate Access Method

You can access Huawei Cloud in different ways. For IAM users created on the new IAM console, the access method depends on the credential types of the users. If you set a console password when creating an IAM user, the IAM user can access Huawei Cloud through the console. If you create an access key for an IAM user, the IAM user has programmatic access to Huawei Cloud. For IAM users created on the old IAM console, you can specify the access type when creating an IAM user or choose More > Security Settings in the user list and set the password or access keys after the user is created.

Enable MFA

Multi-factor authentication (MFA) adds an additional layer of security protection on top of the identity credentials for an account. It is recommended that you enable MFA for your account and its IAM users. After MFA is enabled, you need to enter verification codes after your username and password are authenticated. Virtual MFA devices, together with your username and password, ensure the security of your account and resources.

You can choose either a virtual MFA device or a security key. A virtual MFA device is an application that generates 6-digit verification codes. MFA applications can run on mobile devices (including smartphones) and are easy to use. Security keys are a two-factor authentication method based on the Fast Identity Online (FIDO) protocol. Currently, Huawei Cloud supports FIDO-based devices and Windows Hello security keys.

Set a Strong Password Policy

To ensure that IAM users only use complex passwords and change them periodically, set a password policy to define strong password requirements, such as minimum password length, and whether to allow consecutive identical characters in a password, and whether to allow previously used passwords.

Enable Critical Operation Protection

Enable critical operation protection to prevent misoperations. When you or users created using your account perform a critical operation, such as deleting a resource or generating an access key, you and users need to provide the password and a verification code to proceed with the operation.

Periodically Change Your Identity Credentials

Periodically changing your password and access keys can prevent risks caused by their accidental disclosure or loss. You can use the following methods:

  • Set a password validity period to require you and your users to rotate passwords. IAM will start to display a prompt 15 days before the passwords expire.
  • Create two access keys and rotate them in your applications. For example, use access key 1 for a period, and then use access key 2 for the next period. Then delete access key 1, generate another access key (access key 3), and rotate access key 2 and access key 3 periodically. In this way, two access keys are continuously rotated to ensure secure login.

Delete Unnecessary Identity Credentials

For users who only need to use the console, you are advised not to create access keys for them and delete the access keys that have already been created. If a user has not logged in for a long period, change the user's password and delete the user's access keys. In addition, set an account validity period to automatically disable user accounts that have not been used for a long time.

Enable CTS

You can use Cloud Trace Service (CTS) to collect, store, and query key IAM operations for security analysis, compliance audit, resource tracking, and fault locating. It is recommended that you enable CTS to record key IAM operations, such as creating and deleting users.

Comply with Best Practices to Protect Account Credentials

Your account has all the permissions required to access resources and make payments for the usage of resources. Safeguard your account credentials the same way you would protect other sensitive personal information.

  • Do not create access keys for the accounts.

    Both passwords and access keys (AKs/SKs) are account credentials and they have the same effect. Passwords are mandatory and used for console login. Access keys are optional. They are supplementary to passwords and used for programmatic requests with development tools. To enhance account security, you are advised to only use the password to log in to the console. Do not create access keys for your account to eliminate information security risks posed by access key loss or disclosure.

  • Secure your account credentials to prevent unauthorized use.

    Safeguard your account credentials and use them only for the tasks that require them. Strictly control the scope that requires account credentials for authentication. Do not disclose your password, MFA, and access keys.

  • Use strong passwords to enhance access protection.

    You are advised to use password tools to generate strong passwords. Do not set the password to your account name or email address.

  • Enable MFA.

    It is strongly recommended to enable MFA for the account.

  • Use multi-person approval for account login.

    To ensure that nobody can access both the password and MFA of the account, use multi-person approval. For example, you can set one group of administrators with access to the password and another group of administrators with access to MFA. One member from each group must come together to sign in as the account.

  • Monitor the account permissions and usage.

    Use CTS to monitor the account usage. If any exception is detected, perform security audit and prevention in a timely manner.

Grant Least Privilege

As a security best practice, grant only permissions required to perform specific tasks. You can achieve this by using the IAM system-defined permissions or custom policies and identity policies. The principle of least privilege helps you establish secure access to your Huawei Cloud resources.

For IAM users who access cloud services by using APIs, CLI tools, or SDKs, grant them permissions by using custom policies or identity policies to minimize impact due to accidental access key disclosure or loss.

  • Create IAM users for administrators and applications, respectively.
  • For IAM users used by administrators, use an identity provider to provide federated access to Huawei Cloud accounts and store the passwords in the enterprise's offline identity system.
  • For IAM users used by applications, only grant the permissions needed to call specific APIs and disable console login (to avoid saving the password).
  • Do not grant permission to download or delete important data assets, or only grant these permissions to a few important IAM users (or federated users). Do not share the passwords of these users to minimize the impact of password disclosure or loss.

Use Conditions in IAM Policies or Identity Policies to Further Restrict Access

You can use IAM policies or identity policies to further restrict access. For example, you can write a policy or identity policy to only allow specific IAM users to perform specific operations. For more information, see IAM Permissions Management.

Delete or Do Not Generate Root User Access Keys

For account security, do not generate an access key for the root user unless necessary (which is rarely the case). The best practice is to create an IAM Identity Center user to manage routine tasks. For details about how to create IAM Identity Center users for management, see Getting Started.

If you have been using the access key of an account's root user, you are advised to locate this access key in your application, replace it with the IAM user's access key, and then disable and remove the root user's access key.

Control the Use of Access Keys

It is recommended to use temporary security credentials to access Huawei Cloud for running workloads. If permanent access keys are required, it is recommended to follow the principle of least privilege (PoLP) and enable MFA when granting permissions to IAM users with permanent access keys.

For example, if you choose to use an IAM user's permanent access key to run the workloads for short-term tests, you are advised to use condition keys to restrict user permissions. In this case, you can create a temporary identity policy and attach it to the IAM user so that the user's permissions will expire after a specified period of time. If you are running a workload from a secure network, you can use an identity policy that restricts the access based on IP addresses.

  • Configure a Temporary Policy for an IAM User.
    1. Log in to the new IAM console as an administrator.
    2. In the navigation pane, choose Identity Policies.
    3. In the upper right corner, click Create Identity Policy. On the displayed page, enter the policy name and set Policy View to JSON.
    4. In the Policy Content area, enter the following policy and replace the value of the condition key g:CurrentTime with the required expiration time. 
      {
	"Version": "5.0",
	"Statement": [{
		"Effect": "Deny",
		"Action": [
			"*"
		],
		"Condition": {
			"DateGreaterThan": {
				"g:CurrentTime": [
					"2025-07-15T08:53:13Z"
				]
			}
		}
	}]
}

      This policy denies all operations on all resources after the specified date. The DateGreaterThan operator is used to check whether the current time is later than the specified time.

    5. Click OK. The Identity Policies page is displayed. Search for the identity policy you created in the search box, select the policy, and click Attach to attach the policy to the specified IAM user.

      Then, the identity policy is displayed on the Permissions tab of the user. If the current time reaches or exceeds the time specified in the identity policy, the user can no longer access Huawei Cloud resources. Ensure that developers are aware of the expiration dates you set for user permissions.

  • Configure a Policy to Deny Access Based on the IP Address of an IAM User
    1. Log in to the new IAM console as an administrator.
    2. In the navigation pane, choose Identity Policies.
    3. In the upper right corner, click Create Identity Policy. On the displayed page, enter the policy name and set Policy View to JSON.
    4. In the Policy Content area, copy the following IAM policy to the JSON editor and change the public IP address or range as required. You can use a slash (/) to specify a single IP address or an IP address range. For more information, see g:SourceIp. 
      {
	"Version": "5.0",
	"Statement": [{
			"Effect": "Deny",
			"Action": [
				"*"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"NotIpAddress": {
					"g:SourceIp": [
						"xx.xx.xx.0/32"
					]
				},
				"BoolIfExists": {
					"g:ViaService": [
						"false"
					]
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": [
				"*"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"NotIpAddress": {
					"g:SourceIp": [
						"xx.xx.xx.0/32"
					]
				},
				"StringEquals": {
					"g:CalledViaFirst": "service.console",
					"g:CalledViaLast": "service.console"
				}
			}
		}
	]
}

      This policy denies all operations on all resources except the specified IP addresses. The NotIpAddress operator specifies all IP addresses except the specified IP addresses or range.

    5. Click OK. The Identity Policies page is displayed. Search for the identity policy you created in the search box, select the policy, and click Attach to attach the policy to the specified IAM user.
      You can also apply the following policy as a service control policy (SCP) to multiple Huawei Cloud accounts. You are advised to use the condition key g:PrincipalUrn to apply the policy only to IAM users in the accounts restricted by the SCP. 
      {
	"Version": "5.0",
	"Statement": [{
			"Effect": "Deny",
			"Action": [
				"iam:*:*"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"NotIpAddress": {
					"g:SourceIp": [
						"xx.xx.xx.0/32"
					]
				},
				"BoolIfExists": {
					"g:ViaService": [
						"false"
					]
				},
				"StringMatch": {
					"g:PrincipalUrn": [
						"iam::<account-id>:user:<user-name>"
					]
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": [
				"iam:*:*"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"NotIpAddress": {
					"g:SourceIp": [
						"xx.xx.xx.0/32"
					]
				},
				"StringEquals": {
					"g:CalledViaFirst": "service.console",
					"g:CalledViaLast": "service.console"
				},
				"StringMatch": {
					"g:PrincipalUrn": [
						"iam::<account-id>:user:<user-name>"
					]
				}
			}
		}
	]
}