检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Log in to the IAM console using a Huawei Cloud account or as an IAM user, locate the IAM user that the target instance belongs to, and add it to the user group created in 3. The IAM user will inherit permissions of the user group.
Log in to the IAM console using a Huawei Cloud account or as an IAM user, locate the IAM user that the target instance belongs to, and add it to the user group created in 3. The IAM user will inherit permissions of the user group.
If your HUAWEI ID does not need individual IAM users for permissions management, skip this section. IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
Log in to the IAM console using a Huawei Cloud account or an IAM account, locate the IAM user that the target instance belongs to, and add it to the user group created in 2. The IAM user will inherit permissions of the user group.
IAM Policies Are in Use All IAM Roles Are in Use Login Protection Check IAM Agencies Contain Specified Policies The Admin User Group Only Contains the Root User IAM Users Do Not Have Directly Assigned Policies or Permissions Parent topic: Built-In Policies
Access Control You can use IAM to control access to your CBR resources. Table 1 CBR access control Method Description Reference Permissions management IAM permissions IAM permissions define which actions are allowed or denied on your cloud resources.
access-analyzer-verified If an IAM policy allows any blocked actions on KMS keys, this policy is noncompliant. iam-group-has-users-check iam If an IAM user group has no user, this user group is noncompliant. iam-password-policy iam If the password of an IAM user does not meet the
Critical Operations Administrator: Full access IAM users: Read-only access Login Authentication Policy Administrator: Full access IAM users: Read-only access Password Policy Administrator: Full access IAM users: Read-only access ACL Administrator: Full access IAM users: Read-only
If there is a blocked action for KMS in an IAM policy, this policy is noncompliant. iam-password-policy iam If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant. iam-policy-no-statements-with-admin-access iam If an IAM policy
Built-in lightweight identity management system (IAM) or integrated with an external IAM to provide unified identity management and provisioning. Users can access the system with a unified identity token.
You must obtain the authentication information from Huawei Cloud Identity and Access Management (IAM) before you can access EVS. For details about IAM authentication, see Authentication. Access Control You can use IAM to securely control access to your EVS resources.
Inherit permissions from user groups: Add the IAM user to certain groups with the DRS FullAccess permission to make the user inherit their permissions. Select permissions: Directly assign the DRS FullAccess permission to the IAM user.
If the authorization scope is set to IAM projects only, the custom policy will take effect only for user groups in IAM projects.
For details, see Changing the Login Password of an IAM User. Rule Logic If an IAM user does not have a password configured, this user is compliant. If an IAM user is in the disabled state, this user is compliant.
If a master account only grants the OCR ReadOnlyAccess permission or no permission at all to an IAM user, only the master account (or IAM users with the OCR FullAccess permission) can subscribe to OCR services for that IAM user.
IAM user name Yes Name of the IAM user created by your Huawei Cloud account or HUAWEI ID. To view an IAM username, see Obtaining IAM User Information.
IAM users can then be assigned permissions to access only specific resources in the subprojects. Create an IAM project. Figure 1 IAM projects Enterprise projects group and manage resources across regions. Resources in enterprise projects are logically isolated from each other.
Rule Logic If an IAM user is in the disabled state, this user is compliant. If an IAM user is not allowed to access the management console, this user is compliant. If an enabled IAM user who is allowed to access the management console has MFA enabled, this user is compliant.
Users Querying the MFA Device Information of an IAM User Listing Login Protection Configurations of IAM Users Querying the Login Protection Configuration of an IAM User Modifying the Login Protection Configuration of an IAM User Binding a Virtual MFA Device Unbinding a Virtual MFA
this rule is noncompliant. 3.3 iam-user-group-membership-check iam If an IAM user is not in any of the specified IAM user groups, this user is noncompliant. 3.3 iam-user-last-login-check iam If an IAM user does not log in to the system within the specified time range, this user
