Best Practices for Securing Access and Users

There are two different types of users in Cloud Avenue Object Storage: the account owner (root user) or an IAM (Identity and Access Management) user.
The root user is created when your Cloud Avenue account is set up. The connection information provided to you (Access Key / Secret Key) is linked to this user.
IAM users are created by the root user or an IAM administrator for the account. All have security credentials.

Root User

Root User credentials

The root account credentials provide full access to all account resources. You cannot use IAM policies to explicitly deny the root user access to resources.
For this reason, it is recommended to protect your root user access keys. Certain tasks are limited to the root user, such as closing your account.

Protect the root user access keys
Do not use your root user access key unless its warranted use is unavoidable. The root user access key grants total access to all your resources across all services. You cannot restrict permissions associated with the root user access key.
Therefore, protect your root user access key as you would your credit card numbers or other sensitive codes. Here are some ways to do so:

It is strongly recommended not to use the root user for daily tasks, including administrative tasks. Instead, use your root user credentials only to create your IAM administrator user. Then, secure the root user credentials and use them only for specific account and service management tasks.
If you have a root user access key, rotate (change) it regularly.
Never share your root user password or access keys with anyone. Other sections of this document cover different ways to avoid sharing your root user credentials with others.

Tasks requiring root user credentials
It is recommended to use an IAM user with appropriate permissions to perform tasks. However, you can only perform the following tasks when logged in as the root user of an account:

Modify your account settings, including account name, email address, root user password, root user access keys and other account settings such as contact details.
Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can log in as the root user to modify policies and restore those permissions.
Close your account.
Modify or delete an S3 Bucket policy that includes an invalid VPC ID or VPC endpoint ID.

IAM users

You can securely control access to the S3 service and resources per user. For example, if you need administrator-level permissions, you can create an IAM user, grant full access to that user, and use these credentials to interact with Cloud Avenue’s S3 service.
If you need to modify or revoke permissions, you can delete or modify the policies associated with that IAM user.
If multiple users need access to your S3 account, you can create unique credentials for each user and define who has access to which resources. You do not need to share credentials.

Grant the least privilege necessary

When creating IAM policies, follow the standard security advice of the principle of least privilege, which means granting only the permissions required for a single task. Determine the actions users (and roles) need to perform and craft policies that allow only those tasks.
Start with minimal permissions and add more if needed. This approach is safer than starting with overly permissive permissions and trying to restrict them later. For example, you can create IAM users with read-only access to resources and distribute these credentials to users.

Managing IAM Users

Create an IAM user using the AWS CLI command: create-user.
Provide the user with access to the service, which requires access keys. The associated AWS CLI command is: create-access-key.

Managing policies

To create a policy using AWS CLI commands, follow this link: Create IAM policies (AWS CLI) – AWS Identity and Access Management
To attach a policy to a user using AWS CLI commands, follow this link: Adding and removing IAM identity permissions – AWS Identity and Access Management

Accessing S3 Keys (Security Credentials)

Security credentials for the object storage service are available in the console under the “Security Credentials” tab.

Overview

Practical sheets

Additional components

API

Backup

Cloud Customer Space

Contractual documents

Help and technical assistance

Online help

Roles and users

Technical Dashboards

The Support

Virtual Data Center ressources

KaaS

Network

Networks and External Interconnections (links)

VDC Networks

Secnumcloud

Security

Services Area

Log in to the service area

Services

Storage

Objet Storage (S3)

Advanced features implementation guide

Getting Started

Service user manual

Shared storage (Network storage)

VDC & Virtual Machines

Tooling & Troubleshooting

vCOD

Virtual Machines

Advanced Operations

Known Issues

Main Operations

VMware Cloud Director (VCD)

Catalogs

VMWare Cloud Director Availability (vCDA)

Q & A

Services

CaaS

Openshift

Openshift On VCD

Virtual datacenter

XaaS services

DBaaS

Best Practices for Securing Access and Users

Root User

Root User credentials

IAM users

IAM users

Grant the least privilege necessary

Managing IAM Users

Managing policies

Accessing S3 Keys (Security Credentials)