Security best practices

Security protection

Enable MFA for your Kingsoft Cloud account and IAM users

We recommend that you enable MFA for your Kingsoft Cloud account and all IAM users. You can enable MFA for an IAM user on the details page of the IAM user in the IAM console.

Periodically change the login password and rotate AccessKeys

For your Kingsoft Cloud account and IAM users, we recommend that you periodically change the login passwords and rotate AccessKeys. This ensures the security of cloud computing resources of your account even when the security certificate is leaked.

Improve password complexity to reduce the risk of weak password cracking and credential stuffing

Configure a complex password, for example, a long password that mixes uppercase and lowercase letters and special characters.

Access Kingsoft Cloud as an IAM user

In daily management of cloud resources, use the Kingsoft Cloud account to access Kingsoft Cloud as less as possible. Do not share the credentials with others. Instead, grant IAM users the required management permissions.

Authorization restrictions

Adhere to the principle of least privilege

Least privilege is the basic principle of security design. It requires that users be granted the minimum permissions necessary for their work to avoid over-authorization and reduce risks arising from account leakage.

Enhance security with policy conditions

We recommend that you set conditions for policies to limit their applicable scenarios and enhance security. For example, specify conditions of IP addresses, regions, and time when you configure policies.

Revoke unnecessary permissions in time

Revoke permissions that are no longer required by an IAM user in a timely manner.

Permission configuration

Separate console permissions from API permissions

We recommend that you do not authorize an IAM user to use the Kingsoft Cloud console and call API operations at the same time. Generally, you can assign an IAM user with a login password and required permissions to an employee of your enterprise, and assign an IAM user with an AccessKey to a system or an application.

Do not create an AccessKey for your Kingsoft Cloud account

Your Kingsoft Cloud account has full permissions on your resources, including console and API permissions. To avoid disastrous consequences due to the leakage of your AccessKey, we recommend that you do not create an AccessKey for your Kingsoft Cloud account. We recommend that you create AccessKeys for your IAM users and grant IAM users required permissions to control operations.

Separate identity management, policy management, as well as operation and resource management

To minimize risks, you must divide system permissions. When you use IAM, you must separate permissions for identity management, policy management, as well as operation and resource management. Create IAM users and attach different policies to them to separate permissions.

Grant permissions to IAM users through groups

In addition to attaching policies to IAM users, you can group IAM users based on their features and grant permissions to groups for centralized management. You can attach policies to a group, and add or remove IAM users to or from the group based on the real changes in your organization. All members in the group share the same permissions. An IAM user obtains the permissions immediately after it is added to the group.