Help Center/ Cloud Application Engine/ Best Practices/ CAE Security Best Practices
Updated on 2025-06-30 GMT+08:00

CAE Security Best Practices

Security is a shared responsibility between Huawei Cloud and yourself. Huawei Cloud ensures the security of cloud services for a secure cloud. As a tenant, you should utilize the security capabilities provided by cloud services to protect data and use the cloud securely.

This section provides actionable guidance for enhancing the overall security of Cloud Application Engine (CAE). You can continuously evaluate the security status of your CAE resources and combine multiple security capabilities provided by CAE to enhance their overall security defense and prevent data leakage and tampering during transmission.

Consider the following aspects for your security configurations:

Using CAE Access Control to Minimize Permissions

New Identity and Access Management (IAM) users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the user group and can perform specified operations on cloud services.

CAE is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects in the specified regions, the users only have permissions for CAE in the selected projects. If you set Scope to All resources, the users have permissions for CAE in all region-specific projects. When accessing CAE, the users need to switch to the authorized region.

You can grant users permissions by using roles and policies.

  • Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. IAM provides a limited number of roles for permissions management. Different services often depend on other services, so these dependencies must be considered when assigning roles. However, roles are not ideal for fine-grained authorization and least privilege access.
  • Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.

For details about CAE permissions, see Permissions Management.

Planning Services Correctly Based on CAE Network Security Design to Prevent Network Attacks

  1. You are advised to plan the environment based on service isolation requirements to ensure that different services cannot access each other.

    Environments distinguish service deployment scenarios and means isolation. In CAE, development, test, pre-production, and production environments are tailored to requirements. Networks in an environment intercommunicate, while components and services are managed and deployed within the environment for easier O&M, production, and rollout.

  2. You are advised to use HTTPS for Layer 7 access of application components to prevent data theft and damage during transmission.

    Hypertext Transfer Protocol Secure (HTTPS) is a protocol that guarantees the confidentiality and integrity of communications between clients and servers. You are advised to use HTTPS for data access.

  3. You are advised to host sensitive data on DEW. CAE obtains and uses sensitive data through DEW to prevent data leakage.

    Each enterprise has its own core sensitive data, which needs to be encrypted. To improve data security, CAE allows you to add Data Encryption Workshop (DEW) secrets and import them into components as environment variables to protect data.

Enabling CTS to Record All CAE Access Operations

Cloud Trace Service (CTS) records operations on the cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.

After you enable CTS and configure a tracker, CTS records management traces of CAE for auditing. For details, see CAE Operations That Can Be Recorded by CTS.