Help Center/ Distributed Message Service for Kafka/ Best Practices/ Suggestions on Using DMS for Kafka Securely
Updated on 2024-10-16 GMT+08:00

Suggestions on Using DMS for Kafka Securely

Huawei Cloud and you share the responsibility for security. Huawei Cloud ensures the security of cloud services for a secure cloud. As a tenant, you should utilize the security capabilities provided by cloud services to protect data and use the cloud securely. For details, see Shared Responsibilities.

This section guides you on how to enhance overall DMS for Kafka security through security best practices. You can improve the security of your DMS for Kafka resources by continuously monitoring their security status, combining multiple security capabilities provided by DMS for Kafka, and protecting data stored in DMS for Kafka from leakage and tampering both at rest and in transit.

Configure security settings from the following dimensions to meet your service needs.

Protecting Data Through Access Control

  1. Set only the minimum permissions for IAM users with different roles to prevent data leakage or misoperations caused by excessive permissions.

    To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege. For details, see Permissions Management.

  2. Configure a security group to protect your data from abnormal reads or other operations.

    Tenants can configure inbound and outbound traffic rules for a security group to regulate network access to an instance, and prevent unauthorized exposure to third parties. For more information, see How Do I Select and Configure a Security Group?. Do not set the source to 0.0.0.0/0 in the inbound rules of a security group.

  3. Configure a password for accessing your Kafka instance (by enabling SASL) to prevent unauthorized clients from operating it by mistake.
  4. Enable multi-factor authentication for sensitive operations to protect your data from accidental deletion.

    DMS for Kafka offers sensitive operation protection to enhance the security of your data. With this function enabled, the system authenticates the identity before sensitive operations such as instance deletion are performed. For more information, see Critical Operation Protection.

Transmission Encryption with SSL

To prevent data from breaches or damage during transmission, access DMS for Kafka using SSL encryption. To do so, set the Kafka security protocol to SASL_SSL.

Do Not Store Sensitive Data

Currently, DMS for Kafka does not support data encryption. Do not store sensitive data into message queues.

Data Restoration and Disaster Recovery

Build restoration and disaster recovery (DR) capabilities in advance to prevent data from being deleted or damaged by mistake in abnormal data processing scenarios.

  1. Configure multiple replicas for a topic to quickly restore data in abnormal scenarios.

    Kafka instances support single or multiple replicas of a topic for high availability (HA). With multiple replicas for a Kafka instance, synchronous replication is established and maintained. When an instance broker is faulty, the instance automatically reassigns its leader partition to another available broker.

  2. Use multiple AZs for data DR.

    Cluster Kafka instances can be deployed, and DR can be supported across AZs. If a Kafka instance uses multiple AZs, the instance service continues when one AZ is faulty.

Checking for Abnormal Data Access

  1. Enable Cloud Trace Service (CTS) to record all Kafka access operations for future audit.

    CTS records operations on the cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.

    After you enable CTS and configure a tracker, CTS can record management and data traces of Kafka for auditing. For more information, see Viewing Kafka Audit Logs.

  2. Use Cloud Eye for real-time monitoring and alarm reporting.

    To monitor Kafka instances, Huawei Cloud provides Cloud Eye. Cloud Eye supports automatic real-time monitoring, alarms, and notification for requests and traffic in Kafka instances.

    Cloud Eye starts monitoring your Kafka instance once it is created, so you do not need to enable Cloud Eye. For more information, see Kafka Metrics.

Using the Latest SDKs for Better Experience and Security

Upgrade to the latest version of SDKs to enhance the protection of your data and Kafka usage. Download the latest SDK in your desired language from SDK Overview.