• Identity and Access Management

iam
  1. Help Center
  2. Identity and Access Management
  3. User Guide
  4. Product Introduction
  5. Personal Data Protection Mechanism

Personal Data Protection Mechanism

To ensure that your personal data, such as the username, password, and mobile phone number, will not be obtained by unauthorized and unauthenticated entities and people, IAM encrypts your personnel data before storing it to control access to the data and generate logs for operations performed on the data, preventing data leakage.

Personal Data to Be Collected

Table 1 lists the personal data collected or generated by IAM.

Table 1 Personal data

Type

Data Collection

Can Be Modified

Mandatory

Username

  • A username must be entered when you create a user on the management console.
  • A username must be entered when you make an API call.

No

Yes

The username is the identity of the user.

Password

  • A password must be entered when you create a user, modify user credentials, and reset the password on the management console.
  • A password must be entered when you make an API call.

Yes

No

You can use either the password or Access Key ID (AK) and Secret Access Key (SK).

Email address

An email address must be entered when you create a user, modify user credentials, and reset the password on the management console.

Yes

No

Mobile phone number

A mobile phone number must be entered when you create a user, modify user credentials, and change the phone number on the management console.

Yes

No

AK and SK

The AK and SK can be created on the My Credential page or on the page for you to set credentials of a user.

No

The AK and SK cannot be modified. To use different AKs and SKs, you can delete existing ones and create new ones.

No

The AK and SK sign requests when an API is called.

Storage Modes

IAM uses encryption algorithms to encrypt users' sensitive data and stores encrypted data.

  • Usernames and AKs are not sensitive data and stored in plaintext.
  • Passwords, email addresses, mobile phone numbers, and SKs are encrypted and then stored.

Access Control

User personal data is encrypted before being stored in the IAM database. The whitelist mechanism is used to control access to the database.

API Constraints

  • When you call an API to access the cloud system, the AK and SK are required for authentication. You can obtain the AK and SK only at the time you create them. If you lose or forget the AK and SK, you cannot retrieve them through the management console or API. Instead, you can create new AKs and SKs. Do not share your AKs and SKs with anyone to prevent data leakage.
  • IAM does not provide the APIs for you to batch query and modify personal data.

Logs

IAM records logs for all operations, such as adding, editing, querying, and deleting, performed on personal data. The logs are uploaded to Cloud Trace Service (CTS). You can view only the logs generated for operations you performed.