Security best practices

Last updated:2020-07-19 00:07:28

Security protection

Enable MFA for your Kingsoft Cloud account and IAM users

We recommend that you enable MFA for your Kingsoft Cloud account and all IAM users. You can enable MFA for an IAM user on the details page of the IAM user in the IAM console.

Periodically change the login password and rotate AccessKeys

For your Kingsoft Cloud account and IAM users, we recommend that you periodically change the login passwords and rotate AccessKeys. This ensures the security of cloud computing resources of your account even when the security certificate is leaked.

Improve password complexity to reduce the risk of weak password cracking and credential stuffing

Configure a complex password, for example, a long password that mixes uppercase and lowercase letters and special characters.

Access Kingsoft Cloud as an IAM user

In daily management of cloud resources, use the Kingsoft Cloud account to access Kingsoft Cloud as less as possible. Do not share the credentials with others. Instead, grant IAM users the required management permissions.

Authorization restriction

Adhere to the principle of least privilege

Least privilege is the basic principle of security design. It requires that users be authorized the minimum permissions necessary for their work to avoid overauthorization and reduce risks arising from account leak.

Enhance security with policy conditions

We recommend that you set conditions for policies to limit their applicable scenarios and enhance security. For example, specify conditions of IP addresses, regions, and time when you configure policies.

Revoke unnecessary permissions in time

Revoke permissions that are no longer required by an IAM user in a timely manner.

Permission configuration

Separate console permissions from API permissions

We recommend that you do not authorize an IAM user to use the Kingsoft Cloud console and call APIs at the same time. Generally, you can assign an IAM user with a login password to an employee of your enterprise, and assign an IAM user with an AccessKey to a system or application.

Do not create an AccessKey for your Kingsoft Cloud account

The Kingsoft Cloud account has full permissions on all resources of the account, including console and API permissions. To avoid disastrous consequences that could result from the leakage of your AccessKey, we highly recommend that you do not create any AccessKey for your Kingsoft Cloud account. We recommend that your create AccessKeys for your IAM users and control operations through permission assignment.

Separate identity management, policy management, as well as operation and resource management

To minimize risks, you must divide system permissions. When you use IAM, you must separate permissions for identity management, policy management, as well as operation and resource management. Create IAM users and attach different policies to them to separate permissions.

Assign permissions to IAM users through groups

In addition to attaching policies to IAM users, you can group IAM users based on their functions and assign permissions to groups for centralized management You can attach policies to a group, and add or remove IAM users to or from a group according to real changes in your organization. All members in a group share the same permissions. An IAM user obtains the permissions immediately after it is added to a group.

Did you find the above information helpful?

Mostly Unhelpful
A little helpful
Very helpful

What might be the problems?

Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions


Please give us your feedback.


Thank you for your feedback.