CloudStack controls compute, network, and storage resources. Treat management plane security as high impact infrastructure security.
- Keep CloudStack management servers on dedicated admin networks.
- Block public access to API endpoints unless absolutely required.
- Place hypervisor management interfaces on separate private VLANs.
¶ API and Account Security
- Enforce strong API key handling and periodic key rotation.
- Use role-based access for domain admins and operators.
- Enable MFA/SSO integration where available.
¶ Database and Message Bus Protection
- Restrict CloudStack DB and messaging components to internal hosts.
- Enforce TLS where supported between components.
- Backup and encrypt CloudStack metadata databases.
- Patch KVM/Xen/VMware hosts regularly.
- Lock down host SSH and management services.
- Enforce secure templates and image provenance controls.
¶ Logging and Monitoring
- Centralize API, management server, and hypervisor logs.
- Alert on privilege changes, suspicious API bursts, and failed logins.
- Retain logs for forensic investigation.