Suggestions on Using DMS for RabbitMQ Securely
Huawei Cloud and you share the responsibility for security. Huawei Cloud ensures the security of cloud services for a secure cloud. As a tenant, you should utilize the security capabilities provided by cloud services to protect data and use the cloud securely. For details, see Shared Responsibilities.
This section guides you on how to enhance overall DMS for RabbitMQ security through security best practices. You can improve the security of your DMS for RabbitMQ resources by continuously monitoring their security status, combining multiple security capabilities provided by DMS for RabbitMQ, and protecting data stored in DMS for RabbitMQ from leakage and tampering both at rest and in transit.
Configure security settings from the following dimensions to meet your service needs.
- Protecting Data Through Access Control
- Transmission Encryption with SSL
- Do Not Store Sensitive Data
- Data Restoration and Disaster Recovery
- Checking for Abnormal Data Access
- Using the Latest SDKs for Better Experience and Security
Protecting Data Through Access Control
- Set only the minimum permissions for IAM users with different roles to prevent data leakage or misoperations caused by excessive permissions.
To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege. For details, see Permissions Management.
- Configure a security group to protect your data from abnormal reads or other operations.
Tenants can configure inbound and outbound traffic rules for a security group to regulate network access to an instance, and prevent unauthorized exposure to third parties. For more information, see How Do I Select and Configure a Security Group?. Do not set the source to 0.0.0.0/0 in the inbound rules of a security group.
- Configure a password for accessing your RabbitMQ instance to prevent unauthorized clients from operating it by mistake.
RabbitMQ 3.8.35 instances are password-protected by default. RabbitMQ AMQP-0-9-1 instances support access control using ACL. Authentication is required in message production and consumption after ACL is enabled.
- Enable multi-factor authentication for sensitive operations to protect your data from accidental deletion.
DMS for RabbitMQ offers sensitive operation protection to enhance the security of your data. With this function enabled, the system authenticates the identity before sensitive operations such as instance deletion are performed. For more information, see Critical Operation Protection.
Transmission Encryption with SSL
To prevent data from breaches or damage during transmission, access DMS for RabbitMQ using SSL encryption. RabbitMQ 3.8.35 requires SSL. RabbitMQ AMQP-0-9-1 does not support SSL.
Do Not Store Sensitive Data
Currently, DMS for RabbitMQ does not support data encryption. Do not store sensitive data into message queues.
Data Restoration and Disaster Recovery
Build restoration and disaster recovery (DR) capabilities in advance to prevent data from being deleted or damaged by mistake in abnormal data processing scenarios.
- Use cluster RabbitMQ instances to quickly restore data in abnormal scenarios.
You are advised to use cluster RabbitMQ instances in production environment. RabbitMQ instance services continue when an instance broker is faulty.
- Use multiple AZs for data DR.
Cluster RabbitMQ instances can be deployed, and DR can be supported across AZs. If a RabbitMQ instance uses multiple AZs, the instance service continues when one AZ is faulty.
Checking for Abnormal Data Access
- Enable Cloud Trace Service (CTS) to record all RabbitMQ access operations for future audit.
CTS records operations on the cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.
After you enable CTS and configure a tracker, CTS can record management and data traces of RabbitMQ for auditing. For more information, see Viewing RabbitMQ Audit Logs.
- Use Cloud Eye for real-time monitoring and alarm reporting.
To monitor RabbitMQ instances, Huawei Cloud provides Cloud Eye. Cloud Eye supports automatic real-time monitoring, alarms, and notification for requests and traffic in RabbitMQ instances.
Cloud Eye starts monitoring your RabbitMQ instance once it is created, so you do not need to enable Cloud Eye. For more information, see RabbitMQ Metrics.
Using the Latest SDKs for Better Experience and Security
Upgrade to the latest version of SDKs to enhance the protection of your data and RabbitMQ usage. Download the latest SDK in your desired language from SDK Overview.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
