Updated on 2022-02-22 GMT+08:00

Personal Data Protection Mechanism

To prevent personal data, such as the username, password, and mobile number, from being accessed by unauthorized entities or individuals, IAM encrypts the data before storing it, controls access to the data, and records all operations performed on the data.

Personal Data

Table 1 lists the personal data collected or generated by IAM.

Table 1 Personal data

Type

Source

Modifiable

Mandatory

Username

  • Entered when a user is created.
  • Entered when an API is called.

No

Yes

Usernames are used to identify users.

Password

  • Entered during user creation, credential modification, or password resetting.
  • Entered when an API is called.

Yes

No

You can choose between password- and AK/SK-based authentication.

Email address

Entered during user creation or credential or email address modification.

Yes

No

Mobile number

Entered during user creation or credential or mobile number modification.

Yes

No

AK (access key ID)/SK (secret access key)

Generated during credential setting on the My Credentials page or the IAM console.

No

You cannot modify AK/SK, but you can delete AK/SK and create a new one.

No

AK/SK are used to sign the requests sent to call APIs.

Personal Data Storage

IAM uses encryption algorithms to encrypt users' sensitive data before storing it.

  • Usernames and AKs: non-sensitive data, which is stored in plaintext.
  • Passwords, email addresses, mobile numbers, and SKs: encrypted before storage.

Access Control

Personal data is stored in the IAM database after being encrypted. Access to the database is controlled through a whitelist.

API Constraints

  • AK/SK authentication is required for API calling. You can obtain AK/SK only when they are created. If you have not obtained an AK/SK or have lost the obtained AK/SK, create a new one by using the console or calling an API. For security purposes, do not share your AK/SK with anyone.
  • IAM does not provide APIs for batch querying and modifying personal data.

Logs

IAM records all personal data operations, including adding, modifying, querying, and deleting personal data, and uploads them to Cloud Trace Service (CTS). You can query operation logs at any time.