diff --git a/NEWS b/NEWS
index 767d692798..7fd1d5fe29 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,7 @@ Overview of changes since NetworkManager-1.44
 * Limit number of exported IP addresses/routes on D-Bus to 100 to reduce
   performance cost. Also, D-Bus updates for addresses/routes are now rate
   limited to 3 per second.
+* cloud-setup: enable more sandboxing options in systemd service file.
 
 =============================================
 NetworkManager-1.44
diff --git a/src/nm-cloud-setup/nm-cloud-setup.service.in b/src/nm-cloud-setup/nm-cloud-setup.service.in
index a2b4581f39..e73654d892 100644
--- a/src/nm-cloud-setup/nm-cloud-setup.service.in
+++ b/src/nm-cloud-setup/nm-cloud-setup.service.in
@@ -22,22 +22,30 @@ ExecStart=@libexecdir@/nm-cloud-setup
 #Environment=NM_CLOUD_SETUP_ALIYUN=yes
 
 CapabilityBoundingSet=
+KeyringMode=private
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectProc=invisible
 ProtectSystem=strict
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+
+DevicePolicy=closed
+PrivateNetwork=no
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=@system-service
 
 [Install]