[Basic Cloud Knowledge] Cloud Security Best Practices

DISCLAIMER: Huawei Cloud does not endorse neither has any affiliation with any third-party tools or services mentioned or linked in this post. Those third-party tools/services are mentioned only as reference.

General password recommendations

Do not use simple passwords. Passwords like "Huawei@123" are easily guessed and can be cracked by the most simple attack mechanisms. Passwords should have at least 12 characters (16 or more are recommended) and must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters (unless there are systems restrictions).

Use a password manager. Do not save your passwords in plaintext (e.g. in a text, Excel or Word file). You can use system built-in password managers (e.g. Google Password Manager, Apple Passwords, Samsung Pass), third-party services (e.g. Bitwarden, Proton Pass) or even offline tools (e.g. KeePassXC).

Use random passwords whenever possible. Almost all passwords managers have a random password generator feature. You can also use online tools (e.g. RandomKeygen.com ).

Use passphrases or pronounceable passwords when you need to type them frequently (e.g. Windows/Linux or e-mail passwords) so you can memorize them (e.g. caseyjmorris' Generator, gpw.js Generator). Select two or three random words (gibberish words can be used to prevent dictionary attacks) and add digits, capitalization and symbols.

Do not reuse passwords. Generate unique passwords for each account/user/resource.

Do not share passwords (or any other sensitive information) directly in e-mail or messaging app. Use a secret sharing tool with self destruction and end-to-end encryption features (e.g. Yopass.se, OnetimeSecret.com). Generate a link to the secret (with a decrypt password), send the link through e-mail and send the decrypt password privately through messaging app or meeting.

Identity and Access Management (IAM)

Create Individual IAM Users. If someone needs to access resources in your account, do not share your password with them. Instead, create an individual IAM user for them and grant required permissions to the IAM user.

Grant Least Privilege. Do not assign "admin" permission unless it's really necessary. It is a standard security measure to grant users only the permissions required to perform specific tasks. The principle of least privilege (PoLP) helps you establish secure access to your Huawei Cloud resources. For IAM users who access cloud services by using APIs, CLI tools, or SDKs, grant them permissions by using custom policies to minimize impact due to accidental access key disclosure or loss.

Do Not Write Access Keys into Code. If you use APIs, CLI tools, or SDKs to access cloud services, do not write your access keys into the code. Use environment variables or secret manager (e.g. Cloud Secret Management Service, Hashicorp Vault).

Enable Login Protection and Critical Operation Protection. Use e-mail or Virtual MFA methods for identity verification to log in to Huawei Cloud console.

Network, servers and databases security

Avoid binding Elastic IPs (EIPs) directly to servers and databases. Prefer using Elastic Load Balancers (ELBs) or DNAT rules for inbound internet traffic, and SNAT rules for outbound internet traffic.

When binding Elastic IPs (EIPs) directly to servers and databases, carefully review the inbound rules of the security group associated with your resource. Do not expose any unnecessary ports.

Do not allow inbound traffic from any address (0.0.0.0/0) to high-risk ports like Remote Login (SSH-22, Telnet-23, RDP-3389) and Database (MySQL-3389, PostgreSQL-5432, Oracle-1521). Always specify the public source addresses and/or private source IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

Right after deploying an Elastic Cloud Server (ECS), install all operating system and packages updates available before deploying any application.

To connect servers and databases in Huawei Cloud to your data center or private network, you are advised to use Virtual Private Network (VPN) service. If VPN does not apply to your scenario and you need to remotely manage your servers on Huawei Cloud, consider using Cloud Bastion Host (CBH) or a security hardened jump server. Open source bastion host solutions can also be used (e.g. JumpServer, Bastillion).

References and further reading

Security Technologies and Applications/ Best Practices/ Best Practices in Enabling High-Risk Ports: https://support.huaweicloud.com/intl/en-us/bestpractice-securityInfo/securityInfo_01_0028.html

Security Technologies and Applications/ Best Practices/ Best Practices for Using Huawei Accounts: https://support.huaweicloud.com/intl/en-us/bestpractice-securityInfo/securityInfo_01_0029.html

Identity and Access Management/ Best Practices/ Recommendations for Using IAM: https://support.huaweicloud.com/intl/en-us/bestpractice-iam/iam_0426.html

Elastic Cloud Server/ FAQs/ ECS Security Check/ Are ECSs with Simple Passwords Easily Attacked? https://support.huaweicloud.com/intl/en-us/ecs_faq/ecs_faq_0030.html

Elastic Cloud Server/ Best Practices/ Securing an ECS/ Enhancing Security for SSH Logins to Linux ECSs: https://support.huaweicloud.com/intl/en-us/bestpractice-ecs/en-us_topic_0165501097.html

Elastic Cloud Server/ User Guide/ Security/ Methods for Improving ECS Security: https://support.huaweicloud.com/intl/en-us/usermanual-ecs/ecs_03_0610.html

Huawei Cloud Trust Center / Security: https://www.huaweicloud.com/intl/en-us/securecenter/security.html

Huawei Cloud Security Best Practices: https://www.huaweicloud.com/intl/en-us/securecenter/security/security_bestpractices.html

Huawei Cloud Security FAQs: https://www.huaweicloud.com/intl/en-us/securecenter/security/faqs.html

Huawei Cloud Security White Paper: https://res-static.hc-cdn.cn/cloudbu-site/intl/en-us/TrustCenter/WhitePaper/Best%20Practices/SecurityWhitepaper_intl_en.pdf

Huawei Cloud Data Security White Paper: https://res-static.hc-cdn.cn/cloudbu-site/intl/en-us/TrustCenter/WhitePaper/Best%20Practices/DataSecurityWhitepaper_intl_en.pdf