Huawei Cloud Sub-account Management Huawei Cloud Account Security Configuration Best Practices

Huawei Cloud / 2026-06-30 16:02:51

Introduction

Cloud accounts are not just login portals—they are the control center for data, networks, identities, and spend. In most security incidents, attackers don’t “break encryption” first. They steal or abuse access: weak passwords, exposed credentials, missing MFA, overly broad permissions, poor audit trails, and unmonitored privilege changes.

This article outlines practical best practices for configuring a Huawei Cloud account securely. The focus is not on abstract theory. It’s on concrete steps you can apply right away: how to structure identities, how to enforce strong authentication, how to limit permissions, how to protect sensitive operations, and how to continuously monitor what is happening.

Start with the Threat Model: What You Need to Defend Against

Before changing settings, it helps to name the threats you are actually preparing for. Most real-world risks fall into a few categories:

  • Credential theft: phishing, reused passwords, malware, or leaked keys.
  • Privilege misuse: legitimate users (or compromised accounts) performing destructive or sensitive actions.
  • Insider risk: accidental misconfiguration or intentional misuse.
  • Visibility gaps: changes are made, but nobody notices or can prove what happened.
  • Misconfiguration: resources end up exposed to the public internet, or broad access is granted.

Best practice security configuration is about reducing the probability of these events and reducing the impact when they happen.

Foundation: Establish a Secure Identity Strategy

In a cloud environment, “who can do what” is the core security control. Treat identity as your first defense layer.

Avoid Using the Root (Master) Account for Daily Work

If your Huawei Cloud account has a primary or root-like identity, use it sparingly. The golden rule: the strongest credentials should be used only for the most critical tasks, such as:

  • Initial setup of security policies and system configuration
  • Billing and account-level emergency actions
  • Only when absolutely necessary for account-wide settings

For day-to-day administration, create dedicated user identities. This reduces blast radius and improves auditability.

Create Dedicated Accounts for Humans and for Automation

Use separate identities rather than sharing one account across teams. For example:

  • Human users: individual accounts tied to a person.
  • Automation: service identities or dedicated programmatic users for scripts and pipelines.

Sharing accounts makes incident response nearly impossible because logs cannot easily attribute actions to a specific individual.

Apply Least Privilege by Role, Not by Convenience

Least privilege is not a slogan—it’s a configuration method. Instead of granting broad permissions “just in case,” define roles based on job functions:

  • Huawei Cloud Sub-account Management Developers: can deploy application resources, but not alter network security controls.
  • Operators: can manage monitoring and operational resources, but not modify identity policies.
  • Security admins: can manage audit and security settings, but not necessarily application data.

This approach also supports separation of duties, which reduces both accidental and malicious misuse.

Authentication Hardening: Strong Login Controls

Even perfect permission design can fail if authentication is weak. Strong authentication turns stolen credentials into far less useful information.

Enable MFA (Multi-Factor Authentication)

Huawei Cloud Sub-account Management Multi-factor authentication (MFA) should be enabled for administrative identities and, ideally, for all human accounts. Common best practice settings include:

  • Require MFA for login and for sensitive actions
  • Use an authenticator app or other robust MFA method
  • Ensure backup codes or recovery methods are stored securely

One practical rule: if an account can perform high-impact actions, it should always require MFA.

Use Strong Password Policies and Disable Weak Authentication Habits

Even if MFA is enabled, passwords are still important. Strong password habits reduce risk from password guessing and credential stuffing:

  • Enforce sufficiently long passwords
  • Prohibit password reuse across systems
  • Use a password manager and require team discipline

Where supported, consider restricting authentication methods to those with stronger security guarantees.

Control Session Risk: Timeouts and Reauthentication for Sensitive Work

Long-lived sessions can be risky if devices are left unattended or if tokens are exposed. For administrative workflows, consider:

  • Shorter session duration for privileged operations
  • Reauthentication for actions like policy edits, account settings changes, and key management

This reduces the chance that an active session becomes an easy backdoor.

Authorization Controls: Permissions That Don’t Overreach

Most account compromises lead to permission abuse. Your goal is to prevent attackers from doing anything beyond what is explicitly required.

Design Permission Sets Around Resources and Operations

When configuring authorization, think in two dimensions:

  • Scope: which resources can be accessed (specific projects, networks, storage buckets, etc.)
  • Actions: what operations are allowed (read, write, delete, modify policies)

Huawei Cloud Sub-account Management A role should not be “everything.” It should map to a concrete set of tasks, such as “read-only access to logs” or “deploy application instances within a specific project.”

Separate Administrative Domains

At minimum, separate identity and policy management from day-to-day service management. A common failure is allowing broad rights like:

  • Ability to change permissions, policies, or MFA settings
  • Ability to create or manage access keys without restrictions
  • Ability to disable logging or modify audit settings

Those should be limited to security administrators or a small group under strict controls.

Use Conditions to Reduce Access Opportunities

Where your Huawei Cloud configuration supports it, use conditional controls to limit access by:

  • Time windows (temporary access for specific tasks)
  • Source network ranges (only allow admin access from known IPs)
  • Additional context (only from specific devices or via specific routes, if available)

Conditions turn a broad permission into a controlled capability. Even if credentials are stolen, the attacker may not meet the required context.

Protect Sensitive Data and High-Impact Operations

Not all actions are equal. A secure account configuration identifies high-impact operations and adds extra safeguards.

Implement Guardrails for Deletion and Policy Changes

Destructive actions and security-policy changes should never be one-click operations without controls. Best practice guardrails include:

  • Restrict delete permissions to a small set of administrators
  • Require approvals or change management for critical actions (organizational process)
  • Huawei Cloud Sub-account Management Use MFA and reauthentication for actions that affect security settings

Even in a small team, adopting approval workflows for high-impact changes prevents many incidents.

Huawei Cloud Sub-account Management Limit Access to Logs and Audit Data

Logs are evidence. If attackers can delete, disable, or hide logs, you lose your ability to investigate. Ensure:

  • Read access to relevant logs is restricted to security and operations roles
  • Only a limited set of identities can modify logging configurations
  • Retention policies are configured to meet your compliance needs

Huawei Cloud Sub-account Management In many cases, attackers attempt to erase traces. Preventing tampering is as important as collecting logs.

Key Management and Credential Hygiene

Credentials go beyond passwords. API keys, access tokens, and programmatic credentials are frequent sources of compromise.

Use Temporary Credentials for Automation When Possible

Where feasible, prefer short-lived credentials over long-lived secrets. Temporary credentials reduce the damage if a token is exposed.

Huawei Cloud Sub-account Management If the platform supports temporary access patterns, adopt them for CI/CD pipelines and automation tasks. Long-lived keys should be exceptions, not the default.

Rotate Credentials Regularly and After Suspicion

Rotation reduces the time window for misuse. Set a rotation cadence appropriate to your risk level, such as:

  • Routine rotation (for example, quarterly or semi-annually)
  • Immediate rotation after employee changes, suspected compromise, or abnormal activity

Document the rotation procedure so teams can execute it consistently.

Store Secrets Securely and Avoid Hardcoding

Never hardcode access keys in code repositories, configuration files checked into version control, or build logs. Best practice is:

  • Store secrets in an approved secrets manager
  • Limit who can read secrets
  • Use least privilege credentials for the minimal set of tasks

Even one leaked key can allow attackers to move laterally across resources.

Huawei Cloud Sub-account Management Audit, Monitoring, and Alerting: Assume Something Will Happen

Preventive controls matter, but detection is what turns security into real resilience. Your account configuration must support rapid investigation.

Enable Comprehensive Audit Logging

Make sure your account produces logs for:

  • Login attempts (including failures)
  • Policy changes and permission grants/revokes
  • Creation and deletion of users, roles, and access keys
  • Changes to security settings like MFA configuration

If audit logging is optional, treat it as mandatory for security-relevant accounts and environments.

Centralize Logs and Keep Them Tamper-Resistant

Centralization helps you correlate events. Tamper resistance helps you preserve evidence. Practical measures include:

  • Send logs to a centralized logging or SIEM environment if you have one
  • Restrict who can change log destinations and retention
  • Use alerting pipelines that notify a responsible on-call group

If logs remain scattered across multiple accounts or projects without standardized handling, investigations become slow and error-prone.

Huawei Cloud Sub-account Management Set Alerts for the Events That Indicate Account Takeover or Abuse

Common alert-worthy signals include:

  • Multiple failed login attempts followed by a success
  • Login from unusual geographic regions or abnormal network locations
  • New admin permissions granted to a user
  • Creation of new access keys
  • Disabling or altering audit logging settings
  • High-risk API actions performed outside normal business hours

Alerts should be actionable. If you cannot define a response procedure, refine the detection logic so it matches how your team operates.

Network and Access Path Controls for Admin Work

Account security isn’t only about identity. The path by which administrators access the cloud also matters.

Restrict Administrative Access by IP Where Possible

If your organization has predictable office or VPN IP ranges, restrict access to administrative consoles or high-privilege APIs to those ranges. This reduces exposure to random internet traffic and many opportunistic attacks.

Use Secure Access Methods and Prevent Credential Leakage

Adopt secure browser practices and hardened endpoints for administrators. Practical steps include:

  • Use approved devices for admin work
  • Enforce endpoint security measures (malware protection, patching)
  • Avoid entering credentials on untrusted or unknown machines

Even the best cloud-side configuration can’t fully compensate for malware on an admin workstation.

Operational Security: Lifecycle Management for Accounts

Account security is not a one-time setup. People join, roles change, and staff leave. Many breaches happen during lifecycle transitions.

Provision Access Using a Formal Process

Require that access requests are reviewed and approved. A formal process ensures:

  • Permissions are justified
  • Roles match job functions
  • Access is time-bound when appropriate

Provisioning should be documented so you can later explain why a user had access.

Review Privileges Periodically and Remove Stale Access

Stale permissions accumulate over time. Conduct regular access reviews:

  • Quarterly or monthly reviews for privileged roles
  • Automated checks for unused accounts and keys
  • Immediate removal when responsibilities change

During reviews, verify both the role assignments and the effective permissions, not just the intended role name.

Handle Offboarding Immediately

When someone leaves, access should be revoked promptly. Your offboarding checklist should include:

  • Disable or delete user accounts
  • Revoke API access keys and tokens
  • Remove group or role memberships
  • Audit recent actions performed by the user before offboarding

Delays during offboarding are a frequent cause of continued access after termination.

Change Management and Configuration Integrity

Security configuration changes can introduce risk. A secure account is one where changes are controlled, reviewed, and trackable.

Use Versioned, Documented Security Baselines

Huawei Cloud Sub-account Management Define a security baseline for accounts and projects. Store it as documentation that includes:

  • Required MFA and allowed authentication methods
  • Standard role definitions
  • Logging and audit configuration targets
  • Expected retention and alerting approach

When changes deviate from the baseline, treat it as an exception and ensure it is reviewed.

Review Administrative Actions and Permission Changes

Even if you trust your team, human error happens. Regularly review:

  • New roles created
  • Policy edits and permission grants
  • Changes to key management or authentication settings

Huawei Cloud Sub-account Management Keep a record of who approved the changes and why. In an incident, this documentation shortens the response cycle.

Practical Checklist: What to Configure First

If you want a direct starting point, prioritize in this order:

  1. Huawei Cloud Sub-account Management Enable MFA for all privileged and administrative users.
  2. Create separate identities for humans and automation; stop sharing accounts.
  3. Apply least privilege using role-based permissions tied to specific job functions.
  4. Restrict high-impact actions like policy edits and deletions to a small group.
  5. Enable comprehensive audit logs for authentication, authorization, and security settings changes.
  6. Centralize and protect logs with controlled access and retention.
  7. Set alerts for key events such as permission changes and new access keys.
  8. Establish key hygiene: rotate regularly, use temporary credentials where possible, avoid hardcoding secrets.
  9. Run access reviews and immediately handle offboarding.

This sequence reduces both the chance of compromise and the chance that you will be blind if it happens.

Common Mistakes to Avoid

  • Overusing the admin account: it increases risk and makes attribution unclear.
  • Granting broad permissions “for convenience”: attackers benefit from the excess.
  • Turning on logs but not monitoring: you need alerts and a response process.
  • Leaving long-lived API keys active: secrets eventually leak.
  • No regular access reviews: permissions drift away from actual job needs.
  • Allowing security settings changes without extra safeguards: attackers often try to disable defenses.

Incident Readiness: Make Security Configurations Recoverable

Even with best practices, incidents can still occur. Your security configuration should help you recover quickly:

  • Have an account compromise response playbook (who to contact, what to revoke first).
  • Maintain a list of privileged identities and their approved permissions.
  • Test your ability to identify what changed by reviewing audit logs.
  • Ensure you can quickly rotate credentials and revoke access keys.

Readiness is not panic—it’s preparation that turns downtime into manageable events.

Conclusion

Secure Huawei Cloud account configuration is not about a single feature. It’s a system: strong authentication, least-privilege authorization, careful handling of credentials, comprehensive audit logging, and an operational process that keeps permissions correct over time.

If you apply the checklist in order—starting with MFA, identity separation, least privilege, and audit coverage—you will remove many of the most common paths to compromise. Then, with monitoring and lifecycle management in place, you gain the ability to detect abuse quickly and respond with confidence.

TelegramContact Us
CS ID
@cloudcup
TelegramSupport
CS ID
@yanhuacloud