SEC02-02 Secure Login Mechanism

Use secure login mechanisms for accounts, IAM users, and third-party identity providers.

• Risk level

  High

• Key strategies
  • Enable MFA-based login for accounts and IAM administrators (IAM users with administrator permissions) to prevent risks caused by login credential leakage.
  • Configure IAM login verification policies, such as session timeout, account lockout, account suspension, and last login notification.
  • Configure the network ACL policy of IAM. Users can access Huawei Cloud only from specific IP address ranges, CIDR blocks, and VPC endpoints.
  • Use different passwords for different accounts or IAM users.
  • Do not share your passwords with others. Instead, create a user for each person who manages or uses Huawei Cloud resources.
  • Change the default password of the new user. When you create a user using IAM, a one-time login link can be sent to the new user via email. The created user needs to set a password when logging in through the link. Additionally, when the administrator customizes the password for the new user, password modification upon user activation can be set to mandatory.
  • Centralized identity control:
    • Single sign-on (SSO): Use the SSO solution to centrally manage user identity authentication information, simplify the user login process, enhance security, and improve user experience.
    • Multi-account: Centrally manage the accounts.
• Related cloud services and tools
  • IAM Identity Providers
  • Best Practices for Using Huawei Accounts
  • OneAccess: Use OneAccess to associate with your organization's HR system for SSO.