Hi everyone, welcome to the second chapter in our Tencent Cloud SysOps Associate course, Secure Access to Tencent Services. At the end of this chapter you'll be able to describe Tencent Cloud's Server Security Management tools, and use Cloud Access Management or CAM. In this chapter, we'll cover two sections : cloud server security management, and cloud server access management. This video will cover the first section; cloud server security management. The next video we'll cover the second section. Let's get started with Section 1; cloud server security management. In this video, we'll cover security groups, security group management, encrypted login, as well as KMS Ops. We'll start with an introduction to security groups. In this subsection, we'll provide an overview of security groups and configurations, then we'll compare security groups and network ACLs. A security group is a virtual firewall that is used it to configure the network access control of CVM, CLB, TencentDB, and other instances while controlling their outbound and inbound traffic. A security group is a logical group, which allows many instances in the same region with the same network security isolation requirements to be created and applied to the same security group. By default, instances associated with the same security group are not connected, unless you allow them to be connected by specifying rules. Additionally, security groups are stateful, so inbound traffic can automatically become outbound traffic, and vice versa. Some misconfigured security group configurations include exposing the port to external networks, blocking ports or in some cases, not opening the port for remote desktop login. If the security group is not configured correctly, it may lead to security risks such as remote desktop login failure, an inability to ping normally, or an inability to access Internet services properly. Solutions include troubleshooting by checking the security group associated with the CVM, or re-configuring the security group rules. Shown here is a table comparing security groups, and network ACLs. Security groups provide CVM instance level traffic control, acting as the first layer of defense. On the other hand, network ACLs provides subnet-level traffic control, acting as a second layer of defense. Both security groups and network ACLs support, allow, and reject rules, but security groups are stateful, while network ACLs are stateless. For security groups, the returned data flow is not affected by any rules and will automatically be allowed. In contrast, network ACLs are stateless, and the returned data flow must be explicitly allowed by rules. Security groups can be applied to multiple instances by either specifying it during instance creation or associating the security group after the instance is created. Conversely, network ACLs are automatically applied to all CVM instances within the associated subnet. In the next subsection, we'll cover the user interface for configuring and managing security groups, we'll go over how to create a new security group, security group management, and how to configure security groups. When creating a security group on the console, the first step is to either select an existing template or to create a custom template. Next, enter the name and select the associated security group project. Now you can initialize and set up the different rules for the security group. When you're done, click "Finish" to complete creation. After you create a security group, you can always configure, and modify its rules. You can allow inbound traffic for instances associated with the security group, allow outbound traffic to exit the instance, or deny all traffic when binding security groups with no rules. Security groups support custom template creation. Tencent Cloud also provides two existing template options, the open all ports template is commonly used for Intranet connections. The open common ports template opens common ports such as 22, 80, 443, 3389, and the ICMP protocol. It is commonly used for the Internet, which involves more security concerns. Let's move on to security group management. You can bind multiple instances to one security group or bind one instance to multiple security groups with specific priority rules taking effect. When an instance binds to multiple security groups, the smaller the number, the higher the priority. For rules within the security group, a higher position indicates a higher priority. When an instance binds a security group with no rules, all traffic will be rejected by default. Another aspect of security group management is security group use limits. CVMs can only bind to security groups in the same region, and to the same project. For different regions, users may need to create security groups separately. Additionally, there is a limit of 50 security groups per region, and a limit of 100 inbound rules and 100 outbound rules. But in a well-designed security group, there are typically only a few rules. The number of associated security groups for an instance, and the number of instances in a security group are both unlimited. Now let's look at configuring security groups. Image A shows the Tencent Cloud interface for creating a security group, in which you can specify it's template, name, and project. Image B shows the user interface for security group rule configuration, in which you can view the source, protocol port, as well as specify, allow, or deny rules. Image C shows the interface for binding instances to a security group, where you can select up to 100 instances to add. Image D shows the batch import interface, in which you can select files and import security group rules. Image E shows the interface for cloning security groups with parameters for the target project, target region, old name, and new name. Image F shows the interface for deleting security groups. Let's move on to encrypted login. We'll start by going over the encrypted login methods, and then cover password login and SSH key encryption. To ensure the security and reliability of the instance, Tencent Cloud provides two encrypted login methods : password login, and SSH key pair login. The first encrypted login method, password login, uses a password as the unique login credential of each CVM instance. The password may have length or character requirements. After setting the initial password, you can also view or reset the password. The second encrypted login method, SSH key encryption, uses public key cryptography to encrypt and decrypt login information for Linux instances. You can create the SSH key either through the login methods or the SSH key interface by logging into an instance instead of using the password login. In the SSH key management interface, you can create an SSH key, bind or unbind a CVM instance, modify the key name or description, or delete an SSH key. To login to the Linux instance, install a remote terminal, we use PuTTY, as shown in the image example, then connect it to the Linux CVM, and enter the public IP, select "SSH", click "Open", and enter the admin account and password. Now let's go over KMS Ops. We'll look at an overview of KMS, KMS use cases, and KMS Ops management. Tencent Cloud Key Management Service or KMS is a key management service in which users can create and manage keys. The confidentiality, integrity, and availability of keys will be protected. Furthermore, KMS meets the multi-application and service key management requirements of users, as well as regulatory and compliance requirements. Now let's look at the various KMS use cases. Communicating and storing sensitive financial and governmental data require high confidentiality, which KMS can facilitate through key encryption and decryption. Other use cases such as backend development configuration information protection and enterprise core data protection also require high privacy and security, which can be provided by the KMS solution. The KMS Ops management process consists of different operations, such as creating a key, viewing and modifying a key, data encryption, data decryption, and disabling a key. In the following sections, we'll delve in to the different types of keys, and their various use cases. When accessing the create key interface, you'll see a key list showing the KMS keys by region, as well as the customer's managed keys and Tencent Cloud's managed keys. Keys managed by Tencent Cloud are used for COS as well as server-side encryption, but you can also create your own custom keys. Now, keep in mind that each key must be associated with a region, and can only be used by that region. After creating a key, you can also view and modify the key's information, you can enable or disable the key, as well as modify the key's rotation status. By enabling key rotation, you can program the key to automatically change each year to prevent security leaks. Using the online tool for encryption, you can paste the key from the certificate file into the tool to perform encryption, and then download the encrypted ciphertext. The same process applies for decryption, in which you can decrypt the file using the KMS key by pasting the ciphertext into the tool and downloading the decrypted text. Tencent Cloud also allows you to enable and disable keys and batches, as shown in the key list interface on the console.
