TDMQ for MQTT provides a comprehensive enterprise-level security protection system. Through root-sub account management and strict authorization and authentication mechanisms, it builds a multi-level, all-round security protection to ensure reliable protection for every step of message transmission and fully underwrite data security.
Control Plane Permissions (Account-Level)
Cross-account authorization services between root accounts and sub-accounts and across enterprises are achieved through root and sub-accounts, collaborators, and other features of Cloud Access Management (CAM). In addition, account access key management can be used to control cloud resources called using APIs.
Identity Authentication
To access TDMQ for MQTT resources through the console or by calling cloud APIs, identity authentication is required, and resources can be accessed after authentication is successful.
Logging in to the console: The login password needs to be verified, and login protection and login verification policies are provided to enhance identity authentication security. For detailed information, see Changing the Login Password and Setting Login Protection. Calling cloud APIs: The AccessKey needs to be verified. AccessKeys are security credentials used for identity authentication when users access TencentCloud APIs, which consist of SecretId and SecretKey. For detailed information, see Account AccessKey Management. Access Control
Through CAM, fine-grained permission management for TDMQ for MQTT resources can be implemented at the account level.
User and permission assignment: Based on the enterprise organizational structure, independent users or roles are created for members of different functional departments, and dedicated security credentials (such as the console login password and cloud API key) or temporary credentials are assigned to ensure secure and controlled access to TDMQ for MQTT resources.
Fine-grained permission control: Set differentiated access policies based on employee responsibilities to precisely control the types of operations each user or role can perform and the scope of resources they can access, achieving strict permission isolation.
Data Plane Permissions (TDMQ for MQTT Resource-Level)
MQTT provides dual security protection through authentication management and authorization policies. The authentication methods are used to verify device identity, while the authorization policies provide granular control over topic operation permissions, achieving fine-grained resource-level access isolation.
Authentication
MQTT provides multiple authentication methods to ensure secure communication between clients and the server. When a client accesses the server, its identity is verified through the configured authentication method. Access is permitted only after the authentication is successful, ensuring legitimate device access.
Five authentication methods are supported: username and password, X.509 certificate, JWT, external HTTP, and one-device-one-secret. You can select one of these methods.
Authorization
MQTT supports fine-grained authorization policies, which can authorize by username, client identifier, topic, client IP address, and action (connect, publish, and subscribe). After authorization policy management is enabled, when an MQTT client connects, publishes, or subscribes, the server queries the authorization data source. It then matches the retrieved access control rules with the action to be performed, and determines whether to allow or deny this action based on the matching result.