Security Best Practices
Security is a shared responsibility between Huawei Cloud and you. Huawei Cloud is responsible for the security of cloud services to provide a secure cloud. As a tenant, you should properly use the security capabilities provided by cloud services to protect data, and securely use the cloud. For details, see Shared Responsibilities.
This section provides actionable guidance for enhancing the overall security of using TaurusDB. You can continuously evaluate the security status of your TaurusDB resources and enhance their overall security defense by combining different security capabilities provided by TaurusDB. By doing this, data stored in TaurusDB can be protected from leakage and tampering both at rest and in transit.
You can make security configurations from the following dimensions to match your workloads.
- Connecting to a DB Instance over a Private Network
- Configuring Access Control Permissions
- Building Disaster Recovery Capabilities
- Keeping Data in Transit Safe
- Auditing TaurusDB Operation Logs to Check Exceptions
- Using the Latest SDKs for Better Experience and Security
Connecting to a DB Instance over a Private Network
- Connecting a DB instance over DAS
Data Admin Service (DAS) enables you to connect to and manage DB instances with ease on a web-based console. By default, you have the permissions required for remote login. It is recommended that you use DAS to log in to DB instances. DAS is secure and convenient. For details, see Connecting to a DB instance Through DAS.
- Connecting a DB instance over the private IP address
If your application is deployed on an ECS that is in the same region and VPC as a DB instance, you are advised to use the private IP address of the DB instance to connect to the ECS for high security and performance. For details, see Connecting to a DB Instance over a Private Network.
Configuring Access Control Permissions
Access control can prevent your data from being stolen or damaged.
- Configuring only the minimum permissions for IAM users with different roles
To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege. For details, see Permissions Management.
- Configuring security group rules
After a DB instance is created, you can configure inbound and outbound security group rules to control access to and from the DB instance. This can prevent untrusted third parties from connecting to your DB instance. For details, see Configuring Security Group Rules.
- Using a non-default port
The default port (3306) is vulnerable to scanning attacks. You are advised to change the port to a non-default one. For details, see Changing a Database Port.
- Periodically changing the administrator password
The default database administrator account root has high permissions. You are advised to periodically change the password of user root by referring to Resetting the Administrator Password.
- Using different non-administrator accounts to manage databases
You can create different read-only or read/write accounts for database management based on actual requirements. For details, see Creating an Account.
- Enabling multi-factor authentication for critical operations
TaurusDB supports critical operation protection. After this function is enabled, the system authenticates your identity when you perform critical operations like deleting a DB instance, to further secure your data and configurations. For details, see Critical Operation Protection.
Building Disaster Recovery Capabilities
Build restoration and disaster recovery (DR) capabilities in advance to prevent data from being deleted or damaged accidentally in the event of failures.
- Configuring an automated backup policy
When you create a DB instance, an automated backup policy is enabled by default. For security purposes, the automated backup policy cannot be disabled. After the DB instance is created, you can customize the automated backup policy as required. Then TaurusDB backs up data based on the automated backup policy you configure. TaurusDB backs up data at the DB instance level, rather than the database level. If a database is faulty or data is damaged, you can still restore it from backup to ensure data reliability. Backing up data affects the database read and write performance, so you are advised to set the automated backup time window to off-peak hours. For details, see Configuring a Same-Region Backup Policy.
- Enabling cross-region backup
TaurusDB can store backups in a different region from the DB instance for disaster recovery. If a DB instance in a region is faulty, you can use the backups in another region to restore data to a new DB instance. For details, see Configuring a Cross-Region Backup Policy.
Keeping Data in Transit Safe
- Using HTTPS to access data
Hypertext Transfer Protocol Secure (HTTPS) is a protocol that guarantees the confidentiality and integrity of communications between clients and servers. You are advised to use HTTPS for data access.
- Using SSL to connect to a DB instance
Secure Socket Layer (SSL) is an encryption-based Internet security protocol for establishing secure links between a server and a client. It provides privacy, authentication, and integrity to Internet communications. SSL encrypts data to prevent data theft and maintains data integrity to ensure that data is not modified in transit. For details, see Configuring SSL.
Auditing TaurusDB Operation Logs to Check Exceptions
- Enabling CTS to record all TaurusDB access operations
Cloud Trace Service (CTS) records operations on cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.
After you enable CTS and configure a tracker, CTS can record management and data traces of TaurusDB for auditing. For details, see Key Operations Supported by CTS.
- Enabling SQL Explorer to record all SQL statements
Enabling SQL Explorer will allow TaurusDB to store all SQL statement logs for analysis. For details, see Configuring SQL Explorer for a DB Instance.
- Using Cloud Eye for real-time monitoring on security events
Huawei Cloud provides the Cloud Eye service to automatically monitor your DB instance, report alarms, and send notifications in real time, so that you can have a clear understanding of the status and alarm events of your DB instance.
You do not need to separately subscribe to Cloud Eye. It starts automatically once you create a resource (a TaurusDB instance, for example).
For details, see What Is Cloud Eye?
Using the Latest SDKs for Better Experience and Security
You are advised to use the latest version of SDK to better use TaurusDB and protect your data. To download the latest SDK for each language, see SDK Overview.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
