Recommendations for Using IAM

Do Not Create Access Keys for Your Account

Your account has all the permissions required to access resources and make payments for the usage of resources. The password and access keys (AKs/SKs) are identity credentials for your account. The password is required for logging in to the console, and access keys are your secondary identity credentials that allow programmatic requests with development tools. Access keys are supplementary to the password and are not a must. Access keys can be lost or accidentally disclosed. To enhance account security, do not create access keys for your account.

Do Not Write Access Keys into Code

If you use APIs, CLI, or SDKs to access cloud services, do not write your access keys into the code.

Create Individual IAM Users

If someone needs to access resources in your account, do not share your password with them. Instead, create an individual IAM user for them and grant required permissions to the IAM user. You can also create an IAM user for yourself, grant the IAM user administrator permissions, and perform routine management using the IAM user.

Set Appropriate Access Type

You can set the access type of IAM users, including programmatic access and management console access. Note the following when you set the access type:

• If the user accesses Huawei Cloud services only by using the management console, select Management console access for Access Type and Password for Credential Type.
• If the user accesses Huawei Cloud services only through programmatic calls, select Programmatic access for Access Type and Access key for Credential Type.
• If the user needs to use a password as the credential for programmatic access to certain APIs, select Programmatic access for Access Type and Password for Credential Type.
• If the user needs to perform access key verification when using certain services in the console, such as creating a data migration job in the Cloud Data Migration (CDM) console, select Programmatic access and Management console access for Access Type and Access key and Password for Credential Type.

Grant Least Privilege

It is a standard security measure to grant users only the permissions required to perform specific tasks. You can achieve this by using IAM's system-defined or custom policies. The principle of least privilege (PoLP) helps you establish secure access to your Huawei Cloud resources.

For IAM users who access cloud services by using APIs, CLI, or SDKs, grant the users permissions by using custom policies to prevent losses due to accidental access key disclosure or loss.

Enable Virtual MFA

Multi-factor authentication (MFA) adds an additional layer of security protection on top of the identity credentials for an account. It is recommended that you enable MFA authentication for your account and privileged users created using your account. To log in to the management console, users must enter their usernames and passwords and a verification code generated by the bound virtual MFA device.

An MFA device can be based on hardware or software. Currently, Huawei Cloud supports software-based virtual MFA devices. It is a program that runs on a portable device (such as a mobile phone) and generates a six-digit verification code for identity authentication.

Set a Strong Password Policy

To ensure that IAM users only use complex passwords and change them periodically, set a password policy to define strong password requirements, such as minimum password length, and whether to allow consecutive identical characters in a password, and whether to allow previously used passwords.

Enable Critical Operation Protection

Enable critical operation protection to prevent misoperations. When you or users created using your account perform a critical operation, such as deleting a resource or generating an access key, you and users need to provide the password and a verification code to proceed with the operation.

Periodically Change Your Identity Credentials

Periodically changing your password and access keys can prevent risks caused by their accidental disclosure or loss.

• Set a password validity period to require you and users created using your account to change passwords. IAM will start to display a prompt 15 days before a password expires.
• You can create two access keys and use them interchangeably. For example, you can use access key 1 for a certain period, and then use access key 2 for the next period. You can also delete access key 1 and generate another access key.

Delete Unnecessary Identity Credentials

For users who only need to use the console, it is recommended that you do not create access keys for them, and delete any access keys that have already been created. If a user has not logged in for a long period, change the user's password and delete the user's access keys. In addition, set an account validity period to automatically disable user accounts that have not been used for a long time.

Delegate Resource Access to Applications Running on ECSs

Applications running on Elastic Cloud Servers (ECSs) can access other Huawei Cloud services only with a credential provided. To securely provide credentials for applications, create an agency in IAM to grant required permissions to the ECS where the applications run, and configure the agency for the ECS so that the applications can obtain temporary access keys. The ECS applies for a temporary credential from IAM to securely access resources based on the permissions granted through the agency. ECS automatically rotates temporary credentials to ensure that they are secure and valid.

When you start an ECS, you can specify an agency for the ECS as a startup parameter. Applications running on the ECS can access Huawei Cloud resources by providing the temporary access key obtained using the agency. The agency determines which applications can access specific resources.

Enabling CTS

Cloud Trace Service (CTS) is a log audit service provided by Huawei Cloud. It collects, stores, and queries records of operations on IAM, facilitating security analysis, compliance audit, resource tracking, and fault locating. It is recommended that you enable the CTS service to record key IAM operations, such as creating and deleting IAM users.