Help Center/ Well-Architected Framework/ Well-Architected Framework and Practices/ Security Pillar/ Infrastructure Security/ SEC02 Identity Authentication/ SEC02-03 Security Management and Credential Usage
Updated on 2025-05-22 GMT+08:00
View PDF
Share

SEC02-03 Security Management and Credential Usage

Use temporary credentials instead of long-term or permanent credentials for identity authentication to reduce or eliminate risks caused by credential leakage, sharing, or theft.

  • Risk level

    High

  • Key strategies
    • There are two types of credentials — long-term credentials include the login password of the user and permanent AK/SK, and short-term credentials include temporary AK/SK and permissions obtained through agency. Do not hard-code long-term credentials in code to prevent leakage. Use temporary credentials to call Huawei Cloud SDKs or APIs.
    • In certain scenarios where temporary credentials cannot be used, only then shall the long-term credentials be used. In this case, you should store the long-term credentials in a file outside the code or have them hosted by a third party, and use them as variables. Moreover, periodically audit and rotate your credentials to reduce risks.
    • Audit your identity providers and identities configured in IAM to ensure that only authorized identities can access your workloads.
    • Use Data Encryption Workshop (DEW) to host credentials. DEW allows you to centrally manage, retrieve, and securely store various credentials, including database account passwords, server passwords, SSH keys, and AKs.
    • Use Cloud Secret Management Service (CSMS) in DEW to periodically rotate credentials.
    • Use IAM agency to grant operation permissions to cloud services or other accounts.
  • Related cloud services and tools
    • DEW
    • IAM