KMS Best Practices
Huawei Cloud and you share the responsibility for security. Huawei Cloud ensures the security of cloud services for a secure cloud. As a tenant, you should utilize the security capabilities provided by cloud services to protect data and use the cloud securely. For details, see Shared Responsibilities.
This section provides actionable guidance for enhancing the overall security of KMS. With this guide, you can continuously evaluate the security status of KMS, improve the overall KMS security defense capabilities, and protect data during storage and transmission from being leaked or tampered with.
Consider the following aspects for your security configurations:
- Complete custom policy configurations and ensure permission management compliance.
If the key resources configured in the custom policy are not limited, the user with the authorization can encrypt and decrypt all keys, which does not meet the minimum security control requirements. When configuring a custom policy, set Select resource, and enter the ID of the key to be authorized. In this way, the policy takes effect only for the specified key.
- Enable key rotation to reduce key leakage risks.
Key leakage is more likely to occur if the same key is used for a long time. Enable key rotation policy to periodically update keys and change the key materials.
- Enable operation protection to reduce risks.
Keys are vital service data. Administrators can enable operation protection. In this case, an IAM user can only delete keys after the operation is verified by the operator or a specified personnel, reducing risks and losses caused by misoperations.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
