El contenido no se encuentra disponible en el idioma seleccionado. Estamos trabajando continuamente para agregar más idiomas. Gracias por su apoyo.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Identity and Access Management/ Best Practices/ Recommendations for Using IAM

Recommendations for Using IAM

Updated on 2024-11-07 GMT+08:00

To establish secure access to your Huawei Cloud resources, follow these recommendations for the Identity and Access Management (IAM) service.

Do Not Create Access Keys for Your Account

Your account has all the permissions required to access resources and make payments for the usage of resources. Both passwords and access keys (AKs/SKs) are account credentials, and they have the same effect. Passwords are mandatory and used for console login. Access keys are optional, supplementary to passwords, and used for programmatic requests with development tools. Access keys can be lost or accidentally disclosed. To enhance account security, do not create access keys for your account.

Do Not Write Access Keys into Code

If you use APIs, CLI tools, or SDKs to access cloud services, do not write your access keys into the code.

Create Individual IAM Users

If someone needs to access resources in your account, do not share your password with them. Instead, create an individual IAM user for them and grant required permissions to the IAM user. You can also create an IAM user for yourself, grant the IAM user administrator permissions, and perform routine management using the IAM user.

Set Appropriate Access Type

You can set the access type of IAM users, including programmatic access and management console access. Note the following when you set the access type:

  • If the user accesses Huawei Cloud services only by using the management console, select Management console access for Access Type and Password for Credential Type.
  • If the user accesses Huawei Cloud services only through programmatic calls, select Programmatic access for Access Type and Access key for Credential Type.
  • If the user needs to use a password as the credential for programmatic access to certain APIs, select Programmatic access for Access Type and Password for Credential Type.
  • If the user needs to perform access key verification when using certain services in the console, such as creating a data migration job in the Cloud Data Migration (CDM) console, select Programmatic access and Management console access for Access Type and Access key and Password for Credential Type.

Grant Least Privilege

It is a standard security measure to grant users only the permissions required to perform specific tasks. You can achieve this by using IAM's system-defined or custom policies. The principle of least privilege (PoLP) helps you establish secure access to your Huawei Cloud resources.

For IAM users who access cloud services by using APIs, CLI tools, or SDKs, grant them permissions by using custom policies to minimize impact due to accidental access key disclosure or loss.

Enable Virtual MFA

Multi-factor authentication (MFA) adds an additional layer of security protection on top of the identity credentials for an account. It is recommended that you enable MFA authentication for your account and privileged users created using your account. To log in to the management console, users must enter their usernames and passwords and a verification code generated by the bound virtual MFA device.

An MFA device can be based on hardware or software. Currently, Huawei Cloud supports software-based virtual MFA devices. It is a program that runs on a portable device (such as a mobile phone) and generates a six-digit verification code for identity authentication.

Set a Strong Password Policy

To ensure that IAM users only use complex passwords and change them periodically, set a password policy to define strong password requirements, such as minimum password length, and whether to allow consecutive identical characters in a password, and whether to allow previously used passwords.

Enable Critical Operation Protection

Enable critical operation protection to prevent misoperations. When you or users created using your account perform critical operations, such as deleting resources or generating access keys, you and users need to provide verification codes to proceed with the operations.

Periodically Change Your Identity Credentials

Periodically changing your password and access keys can prevent risks caused by their accidental disclosure or loss.

  • Set a password validity period to require you and users created using your account to change passwords. IAM will start to display a prompt 15 days before a password expires.
  • You can create two access keys and use them interchangeably. For example, you can use access key 1 for a certain period, and then use access key 2 for the next period. You can also delete access key 1 and generate another access key.

Delete Unnecessary Identity Credentials

For users who only need to use the console, it is recommended that you do not create access keys for them, and delete any access keys that have already been created. If a user has not logged in for a long period, change the user's password and delete the user's access keys. In addition, set an account validity period to automatically disable user accounts that have not been used for a long time.

Delegate Resource Access to Applications Running on ECSs

Applications running on Elastic Cloud Servers (ECSs) can access other Huawei Cloud services only with a credential provided. To securely provide credentials for applications, create an agency in IAM to grant required permissions to the ECS where the applications run, and configure the agency for the ECS so that the applications can obtain temporary access keys. The ECS applies for a temporary credential from IAM to securely access resources based on the permissions granted through the agency. ECS automatically rotates temporary credentials to ensure that they are secure and valid.

When you start an ECS, you can specify an agency for the ECS as a startup parameter. Applications running on the ECS can access Huawei Cloud resources by providing the temporary access key obtained using the agency. The agency determines which applications can access specific resources.

Enabling CTS

Cloud Trace Service (CTS) is a log audit service provided by Huawei Cloud. It collects, stores, and queries records of operations on IAM, facilitating security analysis, compliance audit, resource tracking, and fault locating. It is recommended that you enable the CTS service to record key IAM operations, such as creating and deleting IAM users.

Utilizamos cookies para mejorar nuestro sitio y tu experiencia. Al continuar navegando en nuestro sitio, tú aceptas nuestra política de cookies. Descubre más

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback