检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Rule Logic If an IAM user is in the disabled state, this user is compliant. If an IAM user is not allowed to access the management console, this user is compliant. If an enabled IAM user who is allowed to access the management console has MFA enabled, this user is compliant.
this rule is noncompliant. 3.3 iam-user-group-membership-check iam If an IAM user is not in any of the specified IAM user groups, this user is noncompliant. 3.3 iam-user-last-login-check iam If an IAM user does not log in to the system within the specified time range, this user
Rule Logic If an IAM user is the root user, this user is compliant. If an IAM user is disabled, this user is compliant. If a non-root IAM user in the enabled state was added to the admin user group, this user is noncompliant.
If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant. iam-user-last-login-check iam If an IAM user does not log in to the system within the specified time range, the result is non-compliant. iam-user-mfa-enabled iam If multi-factor
Rule Logic If an IAM user does not have an access key, the check result is compliant. If the access key of an IAM user has been used within the specified period, the check result is compliant.
", "description": "An IAM user is noncompliant if it does not belong to any IAM user group
Rule Logic If an IAM user is disabled, this user is compliant. If an IAM user is enabled and has MFA enabled, this user is compliant. If an IAM user is enabled, but does not have MFA enabled, this user is noncompliant. Parent topic: Identity and Access Management
C.CS.FOUNDATION.G_1.R_12 Avoiding setting access keys for users with console passwords when setting initial iam users iam-user-console-and-api-access-at-creation iam If an IAM user can access the Huawei Cloud console and has AK/SK that was created when the IAM user was created, this
For more details, see Adding Users to or Removing Users from a User Group Rule Logic If an IAM user group has no users, this user group is noncompliant. If an IAM user group has one or more users, this user group is compliant. Parent topic: Identity and Access Management
If an IAM user group has no user, this user group is noncompliant. iam-user-last-login-check iam If an IAM user does not log in to the system within the specified time range, this user is non-compliant. volume-unused-check evs If an EVS disk is not mounted to any cloud server, this
CRY-01 iam-password-policy Set thresholds for IAM user password strength. IDM-09 iam-user-mfa-enabled Enable MFA for all IAM users to prevent account theft. IDM-09 mfa-enabled-for-iam-console-access Enable MFA for all IAM users who can access Huawei Cloud management console.
The following shows part of the response body for the API used to create an IAM user. { "user": { "id": "c131886aec...
user password strength. 4.1 access-keys-rotated Enable key rotation. 4.2 iam-user-mfa-enabled Enable MFA for all IAM users to prevent account theft. 4.2 mfa-enabled-for-iam-console-access Enable MFA for all IAM users who can access Huawei Cloud management console.
This section uses the built-in policy for IAM user Last Login Check as an example to describe how to detect inactive IAM users. This policy can help reduce idle users and password leakage risks for enhanced account security.
Tag iam Trigger Type Periodic Filter Type Account Rule Parameters None Application Scenarios To enhance account security, you are advised to only use the password to log in to the console. Do not create access keys for your root user.
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account through IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
If the message "Failed to write the ConfigWritabilityCheckFile file to the OBS bucket because the OBS bucket or the IAM agency is invalid" is displayed, the possible reasons are as follows: The IAM agency assigned to the resource recorder does not contain the permission, obs:object
Configuring the Resource Recorder When creating a conformance package, you can use IAM for custom authorization.
C.CS.FOUNDATION.G_1.R_14 Ensuring that no iam policy is created to allow the *:* permissions iam-policy-no-statements-with-admin-access iam If a custom policy or role allows all actions (with the action element set to *:*:*, *:*, or *) for all cloud services, this policy or role is
For details about the relationship between IAM identities and operators and the operator username format, see Relationship Between IAM Identities and Operators.
