SWR Security Best Practices
Security is a shared responsibility between Huawei Cloud and you. Huawei Cloud ensures the security of cloud services. As a tenant, you should take advantage of the security capabilities provided by Huawei Cloud to protect your data and use the cloud securely. For details, see Shared Responsibilities.
This document provides guidance for enhancing the overall security of SoftWare Repository for Container (SWR). You can continuously evaluate the security of your SWR resources and enhance their overall defensive capabilities by combining different security capabilities provided by SWR. By doing this, images stored in SWR can be protected from leakage and tampering both at rest and in transit.
Consider the following aspects for your security configurations:
- Scan images to detect container image vulnerabilities and security risks in advance, reducing the risk of attacks.
- Strengthen permissions management to reduce related risks.
- Enable image access audit for post-event backtracking.
Scanning Images to Detect Container Image Vulnerabilities and Security Risks in Advance
You are advised to scan images stored in SWR periodically. You can scan system vulnerabilities, application vulnerabilities, malicious files, software information, file information, baseline configurations, weak passwords, sensitive information, software compliance, and basic image information to identify and fix potential risks. This ensures that all images deployed in the production environment have passed strict security checks, ensuring that the system and applications can run securely and stably.
Strengthening Permissions Management to Reduce Related Risks
- Do not allow IAM users to access SWR using administrator permissions.
Create Huawei Cloud IAM users and grant them access permissions on different container images to isolate permissions between employees.
- Access SWR through a VPC endpoint for refined control over different image organizations.
Accessing SWR through a VPC endpoint enables refined data boundary control over SWR. You can configure the VPC endpoint and IAM policies to control the push and pull permissions in a specified VPC and allow only images in a fixed organization to be pulled in that VPC.
Enabling Image Access Audit for Post-event Backtracking
The audit function records all user operations on SWR in real time. By recording, analyzing, and reporting user access to SWR, the audit function helps you generate compliance reports and trace the root cause of an accident, improving data asset security. For details, see Viewing Logs in CTS.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
