Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ TaurusDB/ Best Practices/ Security Best Practices

Security Best Practices

Updated on 2024-12-30 GMT+08:00

Security is a shared responsibility between Huawei Cloud and you. Huawei Cloud is responsible for the security of cloud services to provide a secure cloud. As a tenant, you should properly use the security capabilities provided by cloud services to protect data, and securely use the cloud. For details, see Shared Responsibilities.

This section provides actionable guidance for enhancing the overall security of using TaurusDB. You can continuously evaluate the security status of your TaurusDB resources and enhance their overall security defense by combining different security capabilities provided by TaurusDB. By doing this, data stored in TaurusDB can be protected from leakage and tampering both at rest and in transit.

You can make security configurations from the following dimensions to match your workloads.

Connecting to a DB Instance over a Private Network

  1. Connecting a DB instance over DAS

    Data Admin Service (DAS) enables you to connect to and manage DB instances with ease on a web-based console. By default, you have the permissions required for remote login. It is recommended that you use DAS to log in to DB instances. DAS is secure and convenient. For details, see Connecting to a DB instance Through DAS.

  2. Connecting a DB instance over the private IP address

    If your application is deployed on an ECS that is in the same region and VPC as a DB instance, you are advised to use the private IP address of the DB instance to connect to the ECS for high security and performance. For details, see Connecting to a DB Instance over a Private Network.

Configuring Access Control Permissions

Access control can prevent your data from being stolen or damaged.

  1. Configuring only the minimum permissions for IAM users with different roles

    To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege. For details, see Permissions Management.

  2. Configuring security group rules

    After a DB instance is created, you can configure inbound and outbound security group rules to control access to and from the DB instance. This can prevent untrusted third parties from connecting to your DB instance. For details, see Configuring Security Group Rules.

  3. Using a non-default port

    The default port (3306) is vulnerable to scanning attacks. You are advised to change the port to a non-default one. For details, see Changing a Database Port.

  4. Periodically changing the administrator password

    The default database administrator account root has high permissions. You are advised to periodically change the password of user root by referring to Resetting the Administrator Password.

  5. Using different non-administrator accounts to manage databases

    You can create different read-only or read/write accounts for database management based on actual requirements. For details, see Creating an Account.

  6. Enabling multi-factor authentication for critical operations

    TaurusDB supports critical operation protection. After this function is enabled, the system authenticates your identity when you perform critical operations like deleting a DB instance, to further secure your data and configurations. For details, see Critical Operation Protection.

Building Disaster Recovery Capabilities

Build restoration and disaster recovery (DR) capabilities in advance to prevent data from being deleted or damaged accidentally in the event of failures.

  1. Configuring an automated backup policy

    When you create a DB instance, an automated backup policy is enabled by default. For security purposes, the automated backup policy cannot be disabled. After the DB instance is created, you can customize the automated backup policy as required. Then TaurusDB backs up data based on the automated backup policy you configure. TaurusDB backs up data at the DB instance level, rather than the database level. If a database is faulty or data is damaged, you can still restore it from backup to ensure data reliability. Backing up data affects the database read and write performance, so you are advised to set the automated backup time window to off-peak hours. For details, see Configuring a Same-Region Backup Policy.

  2. Enabling cross-region backup

    TaurusDB can store backups in a different region from the DB instance for disaster recovery. If a DB instance in a region is faulty, you can use the backups in another region to restore data to a new DB instance. For details, see Configuring a Cross-Region Backup Policy.

Keeping Data in Transit Safe

  1. Using HTTPS to access data

    Hypertext Transfer Protocol Secure (HTTPS) is a protocol that guarantees the confidentiality and integrity of communications between clients and servers. You are advised to use HTTPS for data access.

  2. Using SSL to connect to a DB instance

    Secure Socket Layer (SSL) is an encryption-based Internet security protocol for establishing secure links between a server and a client. It provides privacy, authentication, and integrity to Internet communications. SSL encrypts data to prevent data theft and maintains data integrity to ensure that data is not modified in transit. For details, see Configuring SSL.

Auditing TaurusDB Operation Logs to Check Exceptions

  1. Enabling CTS to record all TaurusDB access operations

    Cloud Trace Service (CTS) records operations on cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.

    After you enable CTS and configure a tracker, CTS can record management and data traces of TaurusDB for auditing. For details, see Key Operations Supported by CTS.

  2. Enabling SQL Explorer to record all SQL statements

    Enabling SQL Explorer will allow TaurusDB to store all SQL statement logs for analysis. For details, see Configuring SQL Explorer for a DB Instance.

  3. Using Cloud Eye for real-time monitoring on security events

    Huawei Cloud provides the Cloud Eye service to automatically monitor your DB instance, report alarms, and send notifications in real time, so that you can have a clear understanding of the status and alarm events of your DB instance.

    You do not need to separately subscribe to Cloud Eye. It starts automatically once you create a resource (a TaurusDB instance, for example).

    For details, see What Is Cloud Eye?

Using the Latest SDKs for Better Experience and Security

You are advised to use the latest version of SDK to better use TaurusDB and protect your data. To download the latest SDK for each language, see SDK Overview.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback