Help Center/ Cloud Trace Service/ Best Practices/ Suggestions on CTS Security Configuration
Updated on 2025-07-03 GMT+08:00
View PDF
Share

Suggestions on CTS Security Configuration

Security is a shared responsibility between Huawei Cloud and yourself. Huawei Cloud is responsible for the security of cloud services to provide a secure cloud. As a tenant, you should properly use the security capabilities provided by cloud services to protect data, and securely use the cloud. For details, see Shared Responsibilities.

This section provides actionable guidance for enhancing the overall security of CTS. You can continuously evaluate the security of your CTS resources and enhance their overall defensive capabilities by combining different security capabilities provided by CTS. By doing this, data stored in CTS can be protected from leakage and tampering both at rest and in transit.

Consider the following aspects for your security configurations:

Properly Managing Your Identity Authentication Information to Prevent Data Leaks

No matter whether you access CTS through the console, APIs or SDKs, you are required to provide the identity credential and verify the identity validity. In addition, login protection and login authentication policies are provided to harden identity authentication security. LTS supports three identity authentication modes based on IAM: username and password, access key (AK/SK), and temporary access key. It also provides login protection and login authentication policies.

  1. Using a temporary AK/SK (recommended)

    Operating CTS resources requires identity credentials to ensure request confidentiality and integrity, and to verify the requester identity. You are advised to configure an IAM agency to obtain temporary AKs/SKs, or directly configure temporary AKs/SKs for your applications or cloud services. Temporary AK/SKs will expire after a short period, which reduces data leakage risks. For details, see Temporary Access Key and Obtaining Temporary Access Keys and Security Tokens of an Agency.

  2. Regularly changing a permanent AK/SK

    If you use a permanent AK/SK, change it regularly and encrypt it for storage to prevent data leakage. For details, see Access Keys.

  3. Regularly changing your password and avoiding weak passwords

    Regularly resetting passwords is a key measure to enhance system and application security. This practice lowers the chances of password exposure and helps you meet compliance requirements, mitigate internal risks, and boost security awareness. Also, use complex passwords to reduce risks. For details, see Password Policy.

Granting Only the Minimum Permissions to IAM Users to Prevent Data Leakage

To assign different permissions to employees in your enterprise to access your CTS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your CTS resources. You can set CTS system permissions or fine-grained permissions for least privilege access. For details, see Permissions.

Enabling CTS and Configuring Key Event Notifications

CTS can notify you of key events. For details, see Creating a Key Event Notification.

You can use this function for:
  • Real-time detection of high-risk operations (such as VM restart and security configuration changes), cost-sensitive operations (such as expensive resource creation and deletion), and service-sensitive operations (such as network configuration changes).
  • Detection of operations such as login of users with admin-level permissions and unauthorized operations.
  • Connection with your own audit system: You can synchronize all audit logs to your audit system in real time to analyze the API calling success rate, unauthorized operations, security, and costs.

If you are concerned about the addition and deletion of Huawei Cloud resources, you can configure key event notifications, including the service type, resource type, and actions on resources. Once any key event occurs, CTS uses SMN to send notifications to relevant subscribers by SMS message, email, or HTTP/HTTPS message.

Using the Latest SDKs for Better Experience and Security

Use the latest CTS SDKs to better protect your data. You can check the SDKs supported by CTS in the SDK list. You can also view the SDK change history, obtain the installation package, and view the guide in the GitHub repository. For details, see SDK Overview.

Using Cloud Eye for Real-time Monitoring and Alarm Reporting on Key Events

CTS records key audit traces, such as deleteServer, deleteVpc, and deleteVolume, for cloud services like ECS, VPC, or EVS, and sends them to Cloud Eye. Cloud Eye monitors the operation frequency of your cloud resources, report alarms, and sends notification in real time. This helps you obtain information such as the frequency, returned status, and occurrence time of cloud resource operations. To use this feature, you do not need to enable Cloud Eye. Once CTS is enabled, it automatically reports audit traces of specific cloud services to Cloud Eye. For more information about Cloud Eye, see What Is Cloud Eye?

Archiving Traces to OBS Buckets for Permanent Storage and Using DEW to Encrypt Trace Files

CTS can query audit trace of only the last seven days. To audit, query, and analyze traces in the future, you can configure an OBS bucket for storing these traces and encrypt them with DEW. When cloud resources change, CTS archives audit traces to OBS buckets. For details, see Configuring a Tracker.

Use the keys from DEW to fully or partially encrypt objects in an OBS bucket. For details, see Encrypting Data in OBS.