Suggestions on Cloud Eye Security Configuration

Granting User Permissions Using Access Control Capabilities

You need to grant necessary permissions to IAM users with different roles to prevent data leakage or misoperations caused by excessive permissions

To better isolate and manage permissions, you are advised to configure independent IAM administrators and grant them permissions to manage IAM policies. An IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege. For details, see Login Protection and Login Authentication Policy.

Protecting Privacy and Sensitive Information Through Data Masking

When a service request includes sensitive information, you are advised to use the data masking function. On the data masking page, create masking configurations for your components. The platform will then replace sensitive information in traces with a globally unique random character string (Hash code mode) or a fixed number of asterisks (*) (Mask mode). After the configuration is applied, you can go to the tracing page to view the trace details.

Enabling CTS to Record All Cloud Eye Access Operations

Cloud Trace Service (CTS) is a log audit service intended for Huawei Cloud security. It allows you to collect, store, and query cloud resource operation records. You can use these records to track resource changes, analyze security compliance, and locate faults.

After you enable CTS and configure a tracker, CTS records management traces of Cloud Eye for auditing. For details about Cloud Eye operations recorded by CTS, see Key Cloud Eye Operations.