Service Tickets
Gain technical support
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
中国站
简体中文This post aims to list some best practices for account and resources security on Huawei Cloud.
DISCLAIMER: Huawei Cloud does not endorse neither has any affiliation with any third-party tools or services mentioned or linked in this post. Those third-party tools/services are mentioned only as reference.
Do not use simple passwords. Passwords like "Huawei@123" are easily guessed and can be cracked by the most simple attack mechanisms. Passwords should have at least 12 characters (16 or more are recommended) and must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters (unless there are systems restrictions).
Use a password manager. Do not save your passwords in plaintext (e.g. in a text, Excel or Word file). You can use system built-in password managers (e.g. Google Password Manager, Apple Passwords, Samsung Pass), third-party services (e.g. Bitwarden, Proton Pass) or even offline tools (e.g. KeePassXC).
Use random passwords whenever possible. Almost all passwords managers have a random password generator feature. You can also use online tools (e.g. RandomKeygen.com ).
Use passphrases or pronounceable passwords when you need to type them frequently (e.g. Windows/Linux or e-mail passwords) so you can memorize them (e.g. caseyjmorris' Generator, gpw.js Generator). Select two or three random words (gibberish words can be used to prevent dictionary attacks) and add digits, capitalization and symbols.
Do not reuse passwords. Generate unique passwords for each account/user/resource.
Do not share passwords (or any other sensitive information) directly in e-mail or messaging app. Use a secret sharing tool with self destruction and end-to-end encryption features (e.g. Yopass.se, OnetimeSecret.com). Generate a link to the secret (with a decrypt password), send the link through e-mail and send the decrypt password privately through messaging app or meeting.
Create Individual IAM Users. If someone needs to access resources in your account, do not share your password with them. Instead, create an individual IAM user for them and grant required permissions to the IAM user.
Grant Least Privilege. Do not assign "admin" permission unless it's really necessary. It is a standard security measure to grant users only the permissions required to perform specific tasks. The principle of least privilege (PoLP) helps you establish secure access to your Huawei Cloud resources. For IAM users who access cloud services by using APIs, CLI tools, or SDKs, grant them permissions by using custom policies to minimize impact due to accidental access key disclosure or loss.
Do Not Write Access Keys into Code. If you use APIs, CLI tools, or SDKs to access cloud services, do not write your access keys into the code. Use environment variables or secret manager (e.g. Cloud Secret Management Service, Hashicorp Vault).
Enable Login Protection and Critical Operation Protection. Use e-mail or Virtual MFA methods for identity verification to log in to Huawei Cloud console.
Avoid binding Elastic IPs (EIPs) directly to servers and databases. Prefer using Elastic Load Balancers (ELBs) or DNAT rules for inbound internet traffic, and SNAT rules for outbound internet traffic.
When binding Elastic IPs (EIPs) directly to servers and databases, carefully review the inbound rules of the security group associated with your resource. Do not expose any unnecessary ports.
Do not allow inbound traffic from any address (0.0.0.0/0) to high-risk ports like Remote Login (SSH-22, Telnet-23, RDP-3389) and Database (MySQL-3389, PostgreSQL-5432, Oracle-1521). Always specify the public source addresses and/or private source IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Right after deploying an Elastic Cloud Server (ECS), install all operating system and packages updates available before deploying any application.
To connect servers and databases in Huawei Cloud to your data center or private network, you are advised to use Virtual Private Network (VPN) service. If VPN does not apply to your scenario and you need to remotely manage your servers on Huawei Cloud, consider using Cloud Bastion Host (CBH) or a security hardened jump server. Open source bastion host solutions can also be used (e.g. JumpServer, Bastillion).
Security Technologies and Applications/ Best Practices/ Best Practices in Enabling High-Risk Ports: https://support.huaweicloud.com/intl/en-us/bestpractice-securityInfo/securityInfo_01_0028.html
Security Technologies and Applications/ Best Practices/ Best Practices for Using Huawei Accounts: https://support.huaweicloud.com/intl/en-us/bestpractice-securityInfo/securityInfo_01_0029.html
Identity and Access Management/ Best Practices/ Recommendations for Using IAM: https://support.huaweicloud.com/intl/en-us/bestpractice-iam/iam_0426.html
Elastic Cloud Server/ FAQs/ ECS Security Check/ Are ECSs with Simple Passwords Easily Attacked? https://support.huaweicloud.com/intl/en-us/ecs_faq/ecs_faq_0030.html
Elastic Cloud Server/ Best Practices/ Securing an ECS/ Enhancing Security for SSH Logins to Linux ECSs: https://support.huaweicloud.com/intl/en-us/bestpractice-ecs/en-us_topic_0165501097.html
Elastic Cloud Server/ User Guide/ Security/ Methods for Improving ECS Security: https://support.huaweicloud.com/intl/en-us/usermanual-ecs/ecs_03_0610.html
Huawei Cloud Trust Center / Security: https://www.huaweicloud.com/intl/en-us/securecenter/security.html
Huawei Cloud Security Best Practices: https://www.huaweicloud.com/intl/en-us/securecenter/security/security_bestpractices.html
Huawei Cloud Security FAQs: https://www.huaweicloud.com/intl/en-us/securecenter/security/faqs.html
Huawei Cloud Security White Paper: https://res-static.hc-cdn.cn/cloudbu-site/intl/en-us/TrustCenter/WhitePaper/Best%20Practices/SecurityWhitepaper_intl_en.pdf
Huawei Cloud Data Security White Paper: https://res-static.hc-cdn.cn/cloudbu-site/intl/en-us/TrustCenter/WhitePaper/Best%20Practices/DataSecurityWhitepaper_intl_en.pdf
We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more