检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
With this rule, you can detect IAM policies that allow blocked actions on KMS keys to prevent unintended data encryption and decryption. Solution You can modify noncompliant IAM policies based on the evaluation results.
All IAM Roles Are in Use Rule Details Table 1 Rule details Parameter Description Rule Name iam-role-in-use Identifier iam-role-in-use Description If an IAM role has not been attached to any IAM users, user groups, or agencies, this role is noncompliant.
All IAM Policies Are in Use Rule Details Table 1 Rule details Parameter Description Rule Name iam-policy-in-use Identifier iam-policy-in-use Description If an IAM policy has not been attached to any IAM users, user groups, or agencies, this policy is noncompliant.
If an enabled IAM user has been added to at least one user group, and no user groups are specified, this IAM user is compliant. If an enabled IAM user has not been added to any user groups, and no user groups are specified, this IAM user is noncompliant.
For more details, see Assigning Agency Permissions to an IAM User. Rule Logic If an IAM agency does not contain all the specified policies and roles, this agency is non-compliant. If an IAM agency contains all the specified policies and roles, this agency is compliant.
Rule Logic If an IAM user has any directly assigned policies or permissions, the IAM user is noncompliant. If an IAM user does not have directly assigned policies or permissions, the IAM user is compliant. Parent topic: Identity and Access Management
ECSs Have IAM Agencies Attached Rule Details Table 1 Rule details Parameter Description Rule Name ecs-instance-agency-attach-iam-agency Identifier ECSs Have IAM Agencies Attached Description If an ECS does not have any IAM agencies attached, this ECS is non-compliant.
IAM Identity Center IdP Certificate Validity Check SCIM Token Validity Check Parent topic: Built-In Policies
To perform these operations, you need related IAM agencies. The following lists the details. To create IAM agencies, you need the iam:agencies:createAgency and iam:permissions:grantRoleToAgency permissions.
Parent topic: IAM Identity Center
Tag iam Trigger Type Configuration change Filter Type iam.roles, iam.policies Configure Rule Parameters None Applicable Scenario This rule allows you to ensure that your IAM users or agencies do not have unintended permissions attached.
Rule Logic If an IAM user is in the disabled state, this user is compliant. If an IAM user that is in the enabled state has only one active access key, this IAM user is compliant.
An IAM policy with the action element set to *:*:*, *:*, or * is of high security risk. Solution The administrator can modify noncompliant IAM policies or roles. For more details, see Modifying or Deleting a Custom Policy.
Applicable Scenario This rule allows you to ensure that only intended permissions are assigned to an IAM user, a user group, or an IAM agency. For more details, see Grant Least Privilege.
For details about the differences between IAM and enterprise projects, see What Are the Differences Between IAM and Enterprise Management?
Applicable Scenario This rule helps you identify idle IAM users to improve account security Solution You can use noncompliant IAM users to log in to Huawei Cloud console or delete these users as needed. For more details, see Logging In as an IAM User and Deleting an IAM User.
Parent topic: IAM Identity Center
IAM is a global service. You can create an IAM user using the endpoint of IAM in any region.
Solution You can allow IAM users to access cloud services either using programmatic methods or through the console. Ensure that an IAM user does not have both a password and an access key. Rule Logic If an IAM user is disabled, this user is compliant.
Solution You can enable login protection for the noncompliant IAM users. For more details, see Login Protection. Rule Logic If an IAM user is in the disabled state, this user is compliant. If an IAM user that is enabled has MFA enabled, this user is compliant.
