检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Rule Logic If an IAM user is disabled, this user is compliant. If an IAM user is enabled and has MFA enabled, this user is compliant. If an IAM user is enabled, but does not have MFA enabled, this user is noncompliant. Parent topic: Identity and Access Management
C.CS.FOUNDATION.G_1.R_12 Avoiding setting access keys for users with console passwords when setting initial iam users iam-user-console-and-api-access-at-creation iam If an IAM user can access the Huawei Cloud console and has AK/SK that was created when the IAM user was created, this
For more details, see Adding Users to or Removing Users from a User Group Rule Logic If an IAM user group has no users, this user group is noncompliant. If an IAM user group has one or more users, this user group is compliant. Parent topic: Identity and Access Management
If an IAM user group has no user, this user group is noncompliant. iam-user-last-login-check iam If an IAM user does not log in to the system within the specified time range, this user is non-compliant. volume-unused-check evs If an EVS disk is not mounted to any cloud server, this
CRY-01 iam-password-policy Set thresholds for IAM user password strength. IDM-09 iam-user-mfa-enabled Enable MFA for all IAM users to prevent account theft. IDM-09 mfa-enabled-for-iam-console-access Enable MFA for all IAM users who can access Huawei Cloud management console.
The following shows part of the response body for the API used to create an IAM user. { "user": { "id": "c131886aec...
user password strength. 4.1 access-keys-rotated Enable key rotation. 4.2 iam-user-mfa-enabled Enable MFA for all IAM users to prevent account theft. 4.2 mfa-enabled-for-iam-console-access Enable MFA for all IAM users who can access Huawei Cloud management console.
Tag iam Trigger Type Periodic Filter Type Account Configure Rule Parameters None Applicable Scenario To enhance account security, you are advised to only use the password to log in to the console. Do not create access keys for your root user.
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account through IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
If the message "Failed to write the ConfigWritabilityCheckFile file to the OBS bucket because the OBS bucket or the IAM agency is invalid" is displayed, the possible reasons are as follows: The IAM agency assigned to the resource recorder does not contain the permission, obs:object
Configuring the Resource Recorder When creating a conformance package, you can use IAM for custom authorization.
Configure Rule Parameters 90 Number of days during which an IAM user has not logged in the system. The default value is 90. If an IAM user does not log in to the system within the specified period of time, this user is noncompliant.
user name "password": "********", // IAM user password "domain": { "name": "domainname" // Name of the account to which the IAM user belongs } } } },
C.CS.FOUNDATION.G_1.R_14 Ensuring that no iam policy is created to allow the *:* permissions iam-policy-no-statements-with-admin-access iam If a custom policy or role allows all actions (with the action element set to *:*:*, *:*, or *) for all cloud services, this policy or role is
Elastic Cloud Server Flavor Check Image Check Image Check by Tag Security Group Check by ID VPC Check by ID ECSs Have Key Pairs Attached ECSs Cannot Be Accessed Through Public Networks An ECS Does Not Have Multiple EIPs Attached Idle ECS Check ECSs Have IAM Agencies Attached Image
Applicable Scenario This example uses the access-keys-rotated rule to see if all IAM users in an account have their access keys rotated within a specified time. Some IAM users may be detected noncompliant as shown in the following picture. Step 1: Create a Rule.
Resource Recorder Permission API Action IAM Project Enterprise Project Querying the resource recorder GET /v1/resource-manager/domains/{domain_id}/tracker-config rms:trackerConfig:get √ x Creating or modifying the resource recorder PUT /v1/resource-manager/domains/{domain_id}/tracker-config
Table 4 resource Parameter Type Description id String Resource ID. name String Resource name. provider String Service name. type String Resource type. region_id String The ID of the region where the resource resides. project_id String IAM project ID. project_name String IAM project
Policies Are in Use Configuration change iam.policies All IAM Roles Are in Use Configuration change iam.roles Login Protection Check Periodic iam.users IAM Agencies Contain Specified Policies Configuration change iam.agencies The Admin User Group Only Contains the Root User Configuration
evs If a mounted EVS disk is not encrypted, this disk is noncompliant. ecs-attached-hss-agents-check ecs If an ECS does not have an HSS agent installed or the protection mode enabled, this ECS is noncompliant. ecs-instance-agency-attach-iam-agency ecs If an ECS does not have any IAM
