Identity Authentication and Access Control
Identity and Access Management (IAM) provides functions such as user identity authentication, permission assignment, and access control. You can use IAM to securely control user access to your BMSs. IAM permissions define which actions on your cloud resources are allowed or denied. After creating an IAM user, add it to a user group and grant the permissions required by BMS to the user group. Then, all users in this group will be automatically granted with these permissions.
Account Security
If you are an enterprise administrator, you can use IAM to create a user and grant permissions to the user. Enterprise employees can use the user account to access the system, and you do not need to share your account password or key pair with them. This helps you manage resources efficiently. You can also configure account security policies to protect these user accounts and reduce security risks for your enterprise information.
Fine-Grained Authorization
You can grant refined permissions to employee accounts to ensure that cloud services are properly used. For details, see BMS Permissions Policies and Supported Actions.
Security Group
A security group is a virtual firewall that detects status and filters data packets. It is an important network isolation method used for access control of ECSs, BMSs, load balancers, and databases.
You can configure security group rules to allow instances in a security group to access the public or private network.
- A security group is a logical group. You can add BMSs that have the same security protection requirements within a region to the same security group.
- By default, BMSs in the same security group can communicate with each other through an internal network, whereas BMSs in different security groups cannot.
- You can modify a security group rule at any time, and the modification takes effect immediately.
Default Security Group
When you create a BMS in a region, the system will create a default security group if there is no security group in the region.
The default security group rule allows all outgoing data packets and blocks incoming data packets. BMSs in this security group can access each other already. You do not need to add additional rules.
Table 1 describes the rules of the default security group (Sys-default).
Direction |
Priority |
Action |
Protocol |
Port/Range |
Source/Destination |
Description |
|---|---|---|---|---|---|---|
Outbound |
100 |
Allow |
All |
All |
Destination: 0.0.0.0/0 |
Allows all outbound traffic. |
Inbound |
100 |
Allow |
All |
All |
Source: Current security group name |
Allows communications among BMSs within the same security group on any port. |
Inbound |
100 |
Allow |
TCP |
22 |
Source: 0.0.0.0/0 |
Allows all IP addresses to access Linux BMSs over SSH. |
Inbound |
100 |
Allow |
TCP |
3389 |
Source: 0.0.0.0/0 |
Allows all IP addresses to access Windows BMSs over RDP. |
For more information, see Security Group Overview.
Key Pair Authentication
- What is a key pair?
A key pair, or SSH key pair, is an authentication method used when you remotely log in to Linux instances. A key pair is generated using an encryption algorithm. It contains a public key, and a private key reserved for you. The public key is used to encrypt data (for example, a password), and the private key is used to decrypt the data.
HUAWEI CLOUD stores the public key, and you need to store the private key. Do not share your private key with anyone. Keep your private key secure.
- Advantages
A key pair is more secure and easier to use than username/password in authentication.
Item |
Key pair |
Username and Password |
|---|---|---|
Security |
|
Less secure |
Easy to use |
Simultaneous login to a large number of Linux instances, simplifying management |
Login to only one Linux instance at one time, giving no chance of batch maintenance |
- Constraints
- Only Linux instances support the key pair method.
- Only RSA key pairs are supported. RSA keys are typically 1024, 2048, or 4096 bits long.
- A Linux instance can have only one key pair. If a key pair has been bound to your BMS and you bind a new key pair to the BMS, the new key pair will replace the original one.
- Generation
- Create a key pair on the management console.
When a key pair is generated, download and properly keep it.
- Use PuTTYgen to create a key pair and import the key pair into HUAWEI CLOUD.
- Create a key pair on the management console.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
