Recommendations for Using IAM (Identity and Access Management)
To establish secure access to your Open Telekom Cloud resources, follow these recommendations for the Identity and Access Management (IAM) service.
Do Not Create Access Keys for Your Account​
Your account has all the permissions required to access resources and make payments for the usage of resources. Both passwords and access keys (AKs/SKs) are account credentials, and they have the same effect. Passwords are mandatory and used for console login. Access keys are optional, supplementary to passwords, and used for programmatic requests with development tools. Access keys can be lost or accidentally disclosed. To enhance account security, do not create access keys for your account.
Do Not Write Access Keys into Code​
If you use APIs, CLI tools, or SDKs to access cloud services, do not write your access keys into the code.
Create Individual IAM Users​
If someone needs to access resources in your account, do not share your password with them. Instead, create an individual IAM user for them and grant required permissions to the IAM user. You can also create an IAM user for yourself, grant the IAM user administrator permissions, and perform routine management using the IAM user.
Set Appropriate Access Type​
You can set the access type of IAM users, including programmatic access and management console access. Note the following when you set the access type:
- If the user accesses Open Telekom Cloud services only by using the management console, select Management console access for Access Type and Password for Credential Type.
- If the user accesses Open Telekom Cloud services only through programmatic calls, select Programmatic access for Access Type and Access key for Credential Type.
- If the user needs to use a password as the credential for programmatic access to certain APIs, select Programmatic access for Access Type and Password for Credential Type.
- If the user needs to perform access key verification when using certain services in the console, such as creating a data migration job in the Cloud Data Migration (CDM) console, select Programmatic access and Management console access for Access Type and Access key and Password for Credential Type.
Grant Least Privilege​
It is a standard security measure to grant users only the permissions required to perform specific tasks. You can achieve this by using IAM's system-defined or custom policies. The principle of least privilege (PoLP) helps you establish secure access to your Open Telekom Cloud resources.
For IAM users who access cloud services by using APIs, CLI tools, or SDKs, grant them permissions by using custom policies to minimize impact due to accidental access key disclosure or loss.
Enable Virtual MFA��​
Multi-factor authentication (MFA) adds an additional layer of security protection on top of the identity credentials for an account. It is recommended that you enable MFA authentication for your account and privileged users created using your account. To log in to the management console, users must enter their usernames and passwords and a verification code generated by the bound virtual MFA device.
An MFA device can be based on hardware or software. Currently, Open Telekom Cloud supports software-based virtual MFA devices. It is a program that runs on a portable device (such as a mobile phone) and generates a six-digit verification code for identity authentication.
Set a Strong Password Policy​
To ensure that IAM users only use complex passwords and change them periodically, set a password policy to define strong password requirements, such as minimum password length, and whether to allow consecutive identical characters in a password, and whether to allow previously used passwords.
Enable Critical Operation Protection​
Enable critical operation protection to prevent misoperations. When you or users created using your account perform critical operations, such as deleting resources or generating access keys, you and users need to provide verification codes to proceed with the operations.
Periodically Change Your Identity Credentials​
Periodically changing your password and access keys can prevent risks caused by their accidental disclosure or loss.
- Set a password validity period to require you and users created using your account to change passwords. IAM will start to display a prompt 15 days before a password expires.
- You can create two access keys and use them interchangeably. For example, you can use access key 1 for a certain period, and then use access key 2 for the next period. You can also delete access key 1 and generate another access key.
Delete Unnecessary Identity Credentials​
For users who only need to use the console, it is recommended that you do not create access keys for them, and delete any access keys that have already been created. If a user has not logged in for a long period, change the user's password and delete the user's access keys. In addition, set an account validity period to automatically disable user accounts that have not been used for a long time.
Delegate Resource Access to Applications Running on ECSs​
Applications running on Elastic Cloud Servers (ECSs) can access other Open Telekom Cloud services only with a credential provided. To securely provide credentials for applications, create an agency in IAM to grant required permissions to the ECS where the applications run, and configure the agency for the ECS so that the applications can obtain temporary access keys. The ECS applies for a temporary credential from IAM to securely access resources based on the permissions granted through the agency. ECS automatically rotates temporary credentials to ensure that they are secure and valid.
When you start an ECS, you can specify an agency for the ECS as a startup parameter. Applications running on the ECS can access Open Telekom Cloud resources by providing the temporary access key obtained using the agency. The agency determines which applications can access specific resources.
Enabling CTS​
Cloud Trace Service (CTS) is a log audit service provided by Open Telekom Cloud. It collects, stores, and queries records of operations on IAM, facilitating security analysis, compliance audit, resource tracking, and fault locating. It is recommended that you enable the CTS service to record key IAM operations, such as creating and deleting IAM users.