Avoiding Unauthorized Access Due to Account and Password Leakage
Accounts and passwords are basic authentication mechanisms on the cloud for protecting user resources. Once these credentials are leaked, attackers may obtain unauthorized access permissions and perform unauthorized operations on objects (such as files and databases) stored in the cloud, including but not limited to reading, modifying, or deleting data. This can not only lead to data loss or damage, but also financial loss, reputation damage, or legal disputes.
To ensure resource security, you are not advised to place all resources under the same account. You are advised to allocate resources to different accounts according to different resource contents and access scenarios to achieve account-level isolation.
OBS also provides the following methods to mitigate the risk of unauthorized access:
- Using permissions control methods, including IAM permissions and bucket policies
- Using multi-factor authentication (MFA)
- Using temporary access keys
Creating an IAM User and Granting OBS Permissions
By default, your Huawei Cloud account has permissions to access all APIs. If your account credentials are disclosed, security risks may occur. To mitigate such risks, you can use IAM Permissions to implement fine-grained permissions management.
You can use IAM to assign role-based permissions to different users or applications, so that they can access only authorized resources and services and have only the minimum permissions needed to complete a required task. For example, if you want the software developers in your enterprise to create buckets but not delete them or perform any high-risk operations, you can create IAM users for the software developers and grant them only the permissions required to create OBS buckets but not delete bucket resources, thereby controlling their access to OBS resources.
You can create custom policies to supplement the system-defined policies of OBS. For details about the actions supported by custom policies, see Bucket Actions and Object Actions.
Configuring Bucket Policies
You can configure a bucket policy to grant permissions for an OBS bucket and the objects in it to specific users or accounts. A bucket policy can be configured from the following aspects to protect data:
- Fine-grained access control: You can use bucket policies to flexibly define who (such as users, accounts, and IP addresses) performs which operations (such as read, write, and delete) on which resources (buckets or objects) under what conditions (such as time and source IP addresses). This ensures that only authorized users can access the sensitive data.
- IP address whitelist/blacklist: You can configure a bucket policy to allow access to an OBS bucket only from specific IP addresses. This prevents access attempts from unknown or untrusted visitors.
Configuring a bucket policy:
- Creating a Bucket Policy with a Template
- Creating a Custom Bucket Policy (Visual Editor)
- Creating a Custom Bucket Policy (JSON View)
When configuring bucket policies, pay attention to the following points:
- You need to regularly review and update the bucket policies, and delete invalid rules in a timely manner.
- You need to grant only the necessary permissions and avoid using "Action": "obs:*".
- If both bucket policies and IAM policies are used, the final permissions are all permissions within an account and the overlapped permissions across accounts. For details, see Which Permissions Apply When They Conflict?
- You are advised to use HTTPS to encrypt data to prevent man-in-the-middle attacks and prevent sensitive data from being stolen.
- Exercise caution when granting access permissions to anonymous users. Once access permissions are granted to anonymous users, any user on the Internet can access your buckets. An OBS bucket domain name is in the BucketName.Endpoint format, where BucketName indicates the name of a bucket, and Endpoint indicates the endpoint (domain name) of the region where the bucket is located. Attackers can directly access your resources by obtaining the endpoint (for example, obs.cn-north-4.myhuaweicloud.com) and the name of the target bucket from public information.
Using MFA
MFA provides an additional layer of protection on top of the username and password. If MFA authentication is enabled, you need to enter the username and password (first factor) as well as a verification code (second factor) when performing certain operations. These factors together keep your account and resources secure. For details about how to enable MFA authentication, see Virtual MFA Device.
Using Temporary Access Keys to Access OBS
You can assign temporary security credentials (including an AK, an SK, and a security token) to a third-party application or an IAM user, so that they can access OBS only for a specified period of time.
Temporary access keys have the following advantages over permanent access keys of IAM users:
- Temporary access keys are valid for 15 minutes to 24 hours. Permanent access keys of IAM users are not exposed, reducing security risks.
- When obtaining temporary access keys, you can send the policy parameter to request for the least temporary permissions that can be granted to IAM users.
For details, see Granting Temporary Access to OBS.
Before configuring an IAM policy, you need to understand what permissions are required by the user to avoid security risks caused by excessive permissions.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
