Suggestions on LTS Security Configuration
Security is a shared responsibility between Huawei Cloud and yourself. Huawei Cloud is responsible for the security of cloud services to provide a secure cloud. As a tenant, you should properly use the security capabilities provided by cloud services to protect data, and securely use the cloud. For details, see Shared Responsibilities.
This section provides actionable guidance for enhancing the overall security of LTS. You can continuously evaluate the security of your LTS resources and enhance their overall defensive capabilities by combining different security capabilities provided by LTS. By doing this, data stored in LTS can be protected from leakage and tampering both at rest and in transit.
Consider the following aspects for your security configurations:
- Properly Managing Your Identity Authentication Information to Prevent Data Leaks
- Enhancing Permissions Management and Improving Access Control
- Enabling CTS to Record LTS Operations
- Building Data Backup and Restoration Capabilities for Higher Data Security and Reliability
- Keeping Data in Transit Safe
- Using the Latest SDKs for Better Experience and Security
- Protecting Sensitive Data to Reduce Leakage
Properly Managing Your Identity Authentication Information to Prevent Data Leaks
No matter whether you access LTS through the console, APIs, or SDKs, you are required to provide identity credentials and undergo identity authentication. In addition, login protection and login authentication policies are provided to harden identity authentication security. LTS supports three identity authentication modes based on IAM: username and password, access key (AK/SK), and temporary access key. It also provides login protection and login authentication policies.
- Using a temporary AK/SK (recommended)
Reporting logs or managing LTS resources via LTS APIs or SDKs requires identity credentials to ensure request confidentiality and integrity, and to verify the requester identity. You are advised to configure an IAM agency to obtain temporary AKs/SKs, or directly configure temporary AKs/SKs for your applications or cloud services. Temporary AK/SKs will expire after a short period, which reduces data leakage risks. For details, see Temporary Access Key and Obtaining Temporary Access Keys and Security Tokens of an Agency.
- Regularly changing a permanent AK/SK
If you use a permanent AK/SK, change it regularly and encrypt it for storage to prevent data leakage. For details, see Access Keys.
- Regularly changing your password and avoiding weak passwords
Regularly resetting passwords is a key measure to enhance system and application security. This practice lowers the chances of password exposure and helps you meet compliance requirements, mitigate internal risks, and boost security awareness. Also, use complex passwords to reduce risks. For details, see Password Policy.
Enhancing Permissions Management and Improving Access Control
To assign different permissions to employees in your enterprise to access your LTS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your LTS resources. You can set LTS system permissions or fine-grained permissions for least privilege access. For details, see Permissions.
Enabling CTS to Record LTS Operations
Cloud Trace Service (CTS) is a professional log audit service for Huawei Cloud security solutions. It enables you to collect, store, and query resource operation records (traces). You can use these traces to perform security analysis, track resource changes, audit compliance, backtrack problems, and locate faults.
After you enable CTS and configure a tracker, CTS records traces of LTS for auditing. For details, see section "LTS Traces".
Building Data Backup and Restoration Capabilities for Higher Data Security and Reliability
Build restoration and disaster recovery (DR) capabilities in advance to prevent data from being deleted or damaged by mistake in abnormal data processing scenarios.
- Log redundancy
By default, LTS stores log data in multiple copies for data reliability.
- LTS DR solution
LTS uses intra-AZ instance DR and multi-AZ DR to enhance service durability and reliability. Within the same AZ, LTS uses multiple instances to implement DR and quickly removes faulty nodes to ensure continuous service availability. In multi-AZ scenarios, LTS supports cross-AZ DR, maintaining service availability even if an AZ is abnormal.
- Properly setting the log retention period
To prevent adverse impact caused by log aging, you are advised to set the log retention duration as needed. LTS allows you to flexibly configure log retention periods for log groups and log streams. If you disable Log Retention (Days) for a log stream, logs are retained for the period set for the log group to which the log stream belongs.
- Transferring logs to OBS
You can transfer logs to OBS for long-term storage. OBS supports encrypted data storage, allowing you to select an encrypted OBS bucket for storing sensitive data. For details, see Transferring Logs to OBS.
Keeping Data in Transit Safe
You are advised to use HTTPS to access LTS. This protects the integrity and confidentiality of data transmitted between clients and servers, preventing data theft or damage during transmission.
Using the Latest SDKs for Better Experience and Security
Use the latest LTS SDKs to better protect your data. For details, see LTS SDK Reference.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
