Updated on 2022-08-18 GMT+08:00

Personal Data Protection Mechanism

To prevent personal data, such as the username, password, and mobile number, from being accessed by unauthorized entities or individuals, IAM encrypts the data before storing it. IAM also controls access to the data and records all operations performed on the data.

Personal Data

Table 1 lists the personal data generated or collected by IAM.

Table 1 Personal data

Type

Source

Modifiable

Mandatory

Username.

  • Entered when you create a user on the management console.
  • Entered when you call an API.

No

Yes

Usernames are used to identify users.

Password

  • Entered when you create a user, modify user credentials, or reset the password on the management console.
  • Entered when you call an API.

Yes

No

You can also choose AK/SK authentication.

Email address

Entered when you create a user, modify user credentials, or change the email address on the management console.

Yes

No

Mobile number

Entered when you create a user, modify user credentials, or change the mobile number on the management console.

Yes

No

AK/SK

Created on the My Credentials page or the IAM console.

No

AK/SK cannot be modified, but they can be deleted and created again.

No

AK/SK are used to sign the requests sent to call APIs.

Personal Data Storage

IAM uses encryption algorithms to encrypt user data before storing it.

  • Usernames and AKs: non-sensitive data, which is stored in plaintext.
  • Passwords, email addresses, mobile numbers, and SKs: sensitive data, which is encrypted before storage.

Access Control

Personal data is stored in the IAM database after being encrypted. Access to the database is controlled through the whitelist mechanism.

MFA Authentication

You can enable login protection and critical operation protection by choosing Security Settings > Critical Operations. If you enable these functions, users under your account must verify their identity by SMS, email, or virtual MFA device before they log in or perform a critical operation.

API Constraints

  • AK/SK authentication is required for calling APIs. You can create an access key (AK/SK) and download the file containing the access key. If you are unable to locate the file, you can create an access key again and download the file. Do not share your access key with anyone else.
  • IAM does not provide APIs for batch querying and modifying personal data.

Operation Logs

IAM logs all personal data operations, including adding, modifying, querying, and deleting personal data. It uploads operation logs to CTS, and allows users to query only their own operation logs.