Suggestions on Using DMS for RocketMQ Securely
Huawei Cloud and you share the responsibility for security. Huawei Cloud ensures the security of cloud services for a secure cloud. As a tenant, you should utilize the security capabilities provided by cloud services to protect data and use the cloud securely. For details, see Shared Responsibilities.
This section guides you on how to enhance overall DMS for RocketMQ security through best practices. You can improve the security of your DMS for RocketMQ resources by continuously monitoring their security status, combining multiple security capabilities provided by DMS for RocketMQ, and protecting data stored in DMS for RocketMQ from leakage and tampering both at rest and in transit.
Configure security settings from the following dimensions to meet your service needs.
- Protecting Data Through Access Control
- Transmission Encryption with SSL
- Do Not Store Sensitive Data
- Data Restoration and Disaster Recovery
- Checking for Abnormal Data Access
- Using the Latest SDKs for Better Experience and Security
Protecting Data Through Access Control
- Set only the minimum permissions for IAM users with different roles to prevent data leakage or misoperations caused by excessive permissions.
To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege. For details, see Permissions Management.
- Configure a security group to protect your data from abnormal reads or other operations.
Configure inbound traffic rules for a security group by referring to Table 1 to regulate network access to an instance, and prevent unauthorized exposure to third parties.
Table 1 Security group rules Instance Version
Direction
Protocol
Port
Source
Description
- 4.8.0
- 5.x
Inbound
TCP
8100
The client address to access a DMS for RocketMQ instance. Do not set it to 0.0.0.0/0.
The port is used for private network access to instances using TCP.
- 4.8.0
- 5.x
Inbound
TCP
8200
The port is used for public network access to instances using TCP.
- 4.8.0
- 5.x
Inbound
TCP
10100–10199
The port is used for accessing service nodes using TCP.
5.x
Inbound
TCP
8080
The port is used for private network access to instances using gRPC.
5.x
Inbound
TCP
8081
The port is used for public network access to instances using gRPC.
- Configure a password for accessing your DMS for RocketMQ instance (by enabling ACL) to prevent unauthorized clients from operating it by mistake.
Enable ACL in either of the following ways.
- Enable ACL during instance purchase. For details, see Buying a RocketMQ Instance.
- Enable ACL on the instance Basic Information page. For details, see Viewing and Modifying Basic Information of a RocketMQ Instance.
- Enable multi-factor authentication for sensitive operations to protect your data from accidental deletion.
DMS for RocketMQ offers sensitive operation protection to enhance the security of your data. With this function enabled, the system authenticates the identity before sensitive operations such as instance deletion are performed. For more information, see Critical Operation Protection.
Transmission Encryption with SSL
To prevent data from breaches or damage during transmission, access DMS for RocketMQ using SSL encryption.
You need to select SSL during instance purchase. For details, see Buying a RocketMQ Instance.
Do Not Store Sensitive Data
Currently, DMS for RocketMQ does not support data encryption. Avoid storing sensitive data into message queues.
Data Restoration and Disaster Recovery
Build restoration and disaster recovery (DR) capabilities in advance to prevent data from being deleted or damaged by mistake in abnormal data processing scenarios.
Checking for Abnormal Data Access
- Enable Cloud Trace Service (CTS) to record all DMS for RocketMQ access operations for future audit.
CTS records operations on the cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.
After you enable CTS and configure a tracker, CTS can record management and data traces of DMS for RocketMQ for auditing. For details, see Viewing RocketMQ Audit Logs.
- Use Cloud Eye for real-time monitoring and alarm reporting on security events.
To monitor DMS for RocketMQ instances, Huawei Cloud provides Cloud Eye. Cloud Eye supports automatic real-time monitoring, alarms, and notification for requests and traffic in DMS for RocketMQ instances.
Cloud Eye is enabled automatically after you create a DMS for RocketMQ instance. For details, see DMS for RocketMQ Metrics and Configuring RocketMQ Alarms.
Using the Latest SDKs for Better Experience and Security
Upgrade to the latest version of SDKs to enhance the protection of your data and DMS for RocketMQ usage. To download the latest SDK of a language, see SDK Overview.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
