Tencent Cloud -- Security¶
Identity and access management, network security, data protection, and compliance considerations for Tencent Cloud.
Identity & Access¶
CAM (Cloud Access Management)¶
CAM is Tencent Cloud's identity and access management service. It supports sub-users, collaborators, roles, and fine-grained policies.
| Identity Type | Description |
|---|---|
| Root account | Full access to all resources; creates sub-accounts and sets up billing. Should not be used for day-to-day operations. |
| Sub-user | Owned by the root account; receives console login and/or API keys. Most common identity for human operators. |
| Collaborator | An existing Tencent Cloud root account invited into another account; maintains dual identity. |
| Role | Virtual identity with temporary credentials; assumed by Tencent Cloud services, sub-users, or external entities for cross-account and cross-service access. |
| Message recipient | Receives notifications (SMS, email) but has no console or API access. |
CAM Policies¶
Policies are JSON documents with Effect (Allow/Deny), Action, Resource, and Condition elements. Tencent Cloud provides system (preset) policies and supports custom policies.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": ["cvm:DescribeInstances", "cvm:StartInstances"],
"resource": ["qcs::cvm:ap-guangzhou:uin/100000000001:instance/*"],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag/env": ["production"]
}
}
}
]
}
SSO Federation¶
Tencent Cloud supports federated SSO via SAML 2.0 and OIDC:
- SAML 2.0: Configure a SAML identity provider in CAM, then map IdP attributes to CAM roles. Users authenticate with the corporate IdP (Okta, Azure AD, ADFS) and assume a CAM role.
- OIDC: Register an OIDC provider in CAM for CI/CD pipelines (GitHub Actions, GitLab) to assume roles without long-lived API keys.
Multi-account SSO
For TCO multi-account environments, configure SSO at the management account and create cross-account roles in member accounts. Users authenticate once and switch between accounts by assuming the appropriate role.
Network Security¶
Security Groups¶
Security groups are stateful, instance-level firewalls. Rules are evaluated top-to-bottom; the first matching rule wins. Each security group supports up to 100 inbound + 100 outbound rules.
Best practices:
- One security group per application tier (web, app, db)
- Default-deny: the implicit bottom rule is deny-all
- Use security group references to allow traffic from CLB or upstream tiers without hardcoding IP addresses
- Back up security group rules before modifying (
tccli vpc DescribeSecurityGroupPolicies)
Cloud Firewall (CFW)¶
Cloud Firewall provides three inspection modes:
| Mode | Scope | Use Case |
|---|---|---|
| Internet Firewall | North-south traffic on EIPs and NAT Gateways | Block external threats, IPS/IDS, virtual patching |
| NAT Firewall | Outbound traffic from CVM through NAT Gateway | Detect and block malicious outbound connections (C2 callbacks, data exfiltration) |
| VPC Firewall | East-west traffic between VPCs via CCN or Peering | Inter-VPC isolation, micro-segmentation |
CFW integrates with Tencent Threat Intelligence for real-time reputation scoring of IP addresses and domains.
| Edition | Key Capabilities |
|---|---|
| Premium | Internet ACL, IPS, virtual patching, NAT firewall |
| Enterprise | All Premium + VPC boundary firewall |
| Ultimate | All Enterprise + advanced threat tracing, 6-month log retention |
Anti-DDoS¶
| Product | Protection | Scope |
|---|---|---|
| Anti-DDoS Basic | 2-10 Gbps (free) | Auto-enabled on all Tencent Cloud resources |
| Anti-DDoS Pro | Configurable base + elastic bandwidth | Tencent Cloud resources only; no IP change; 30-line BGP |
| Anti-DDoS Advanced | Tbps-level; 900+ Gbps per China node | Any Internet business; hides real server IP; global cleaning centers |
WAF (Web Application Firewall)¶
Tencent Cloud WAF protects HTTP/HTTPS applications against OWASP Top 10 attacks, CC (challenge collapsar) attacks, and bot traffic. WAF operates in reverse-proxy mode (CNAME-based) or transparent proxy mode (CLB binding).
Key features: SQL injection/XSS protection, custom rules, IP blocklist/ allowlist, rate limiting, bot management, API protection, and integration with Anti-DDoS Basic (2 Gbps included with WAF VIP).
Data Protection¶
KMS (Key Management Service)¶
KMS provides centralized key lifecycle management for encryption at rest.
| Feature | Detail |
|---|---|
| Key types | Symmetric (AES-256, SM4), Asymmetric (RSA-2048, SM2) |
| HSM backing | FIPS 140-2 Level 3 compliant HSM cluster |
| Key rotation | Automatic rotation with configurable interval |
| Envelope encryption | Generate data keys locally; encrypt the data key with the CMK |
Services with native KMS integration: COS (server-side encryption), CBS (disk encryption), CDB (TDE), TDSQL (TDE), CLS (log encryption).
TDE (Transparent Data Encryption)¶
CDB (TencentDB for MySQL) and TDSQL support TDE to encrypt data files at rest without application changes. TDE uses KMS-managed keys.
# Enable TDE on a CDB instance
tccli cdb ModifyDBInstanceSecurityGroups \
--cli-unfold-argument \
--InstanceId cdb-xxxxxxxx
# TDE is enabled via the console: Instance Detail -> Data Encryption -> Enable TDE
# Select the KMS key from the same region as the database instance
CloudAudit¶
CloudAudit records all API calls made to Tencent Cloud services. Event history retains 90 days of records. For long-term retention, create tracking sets that export to COS buckets.
# Create a tracking set for long-term audit log storage
tccli cloudaudit CreateAuditTrack \
--cli-unfold-argument \
--Name org-audit-trail \
--Status 1 \
--Storage.StorageType cos \
--Storage.StorageName audit-logs-bucket \
--Storage.StoragePrefix cloudaudit \
--Storage.StorageRegion ap-guangzhou
90-day native retention
CloudAudit event history only retains 90 days. For compliance workloads requiring longer retention (e.g., MLPS Level 3 requires 180+ days), always configure tracking sets to export to COS with versioning and lifecycle policies.
Compliance¶
China Cybersecurity Law¶
The Cybersecurity Law (effective June 2017) imposes requirements on network operators and critical information infrastructure (CII) operators:
- Data localization: Personal information and important data collected in mainland China must be stored domestically. Cross-border transfer requires a security assessment by the Cyberspace Administration of China (CAC).
- Network security obligations: Minimum 6-month log retention, real-name authentication for users, incident response plans, and security protection measures.
- CII operators: Additional requirements including annual security reviews, procurement of secure products, and dedicated security teams.
MLPS 2.0 (Multi-Level Protection Scheme)¶
MLPS 2.0 (GB/T 22239-2019) is China's mandatory information security classification system. Tencent Cloud provides compliance assistance:
| Level | Scope | Tencent Cloud Support |
|---|---|---|
| Level 2 | General business systems | Cloud Firewall, CAM, CloudAudit, Security Group hardening |
| Level 3 | Important business systems | All Level 2 + KMS/TDE encryption, WAF, Anti-DDoS Pro, Bastion Host, CLS with 180-day retention |
| Level 4 | Critical infrastructure | All Level 3 + dedicated compliance region, enhanced physical security, third-party audit support |
Data Residency¶
Tencent Cloud operates separate infrastructure for mainland China and international regions. Data created in Chinese regions remains within China's borders by default. Cross-border data transfer (e.g., DTS sync to Singapore, COS CRR to overseas buckets) is subject to regulatory approval for personal data under the Personal Information Protection Law (PIPL) and Data Security Law (DSL).
Available Certifications¶
Tencent Cloud holds ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI-DSS, CSA STAR, GDPR readiness, and region-specific certifications including China MLPS Level 3, Singapore MTCS Level 3, and South Korea CSAP. Government-grade workloads benefit from Tencent Cloud's compliance center which provides downloadable audit reports and pre-configured compliance baselines.