检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
user name "password": "********", // IAM user password "domain": { "name": "domainname" // Name of the account to which the IAM user belongs } } } },
Applicable Scenario This example uses the access-keys-rotated rule to see if all IAM users in an account have their access keys rotated within a specified time. Some IAM users may be detected noncompliant as shown in the following picture. Step 1: Create a Rule.
IAM Agency: When you select the automatic method and an RFS template, an IAM agency is required to grant the permissions for RFS to deploy resource stacks and modify resource configurations.
Check Image Check by Tag Security Group Check by ID Number of ECS vCPUs ECS Instances Are in the Specified VPC ECSs Have Key Pairs Attached ECS Memory Size ECSs Cannot Be Accessed Through Public Networks ECS Status Check An ECS Must Have No More Than One EIP Idle ECS Check ECSs Have IAM
Resource Recorder Permission API Action IAM Project Enterprise Project Querying the resource recorder GET /v1/resource-manager/domains/{domain_id}/tracker-config rms:trackerConfig:get √ x Creating or modifying the resource recorder PUT /v1/resource-manager/domains/{domain_id}/tracker-config
Table 4 resource Parameter Type Description id String Resource ID. name String Resource name. provider String Service name. type String Resource type. region_id String The ID of the region where the resource resides. project_id String IAM project ID. project_name String IAM project
evs If a mounted EVS disk is not encrypted, this disk is noncompliant. ecs-attached-hss-agents-check ecs If an ECS does not have an HSS agent installed or the protection mode enabled, this ECS is noncompliant. ecs-instance-agency-attach-iam-agency ecs If an ECS does not have any IAM
Certificate Manager Distributed Message Service for Kafka Distributed Message Service for RabbitMQ Distributed Message Service for RocketMQ Organizations Cloud Firewall Cloud Backup and Recovery Object Storage Service Image Management Service Bare Metal Server Graph Engine Service IAM
for all non-console access into the CDE for personnel with administrative access. iam-user-mfa-enabled Enable MFA for all IAM users.
Policies Are in Use Configuration change iam.policies All IAM Roles Are in Use Configuration change iam.roles Login Protection Check Periodic iam.users IAM Agencies Contain Specified Policies Configuration change iam.agencies The Admin User Group Only Contains the Root User Configuration
Tag iam Trigger Type Periodic Filter Type Account Configure Rule Parameters None Applicable Scenario Multi-factor authentication (MFA) adds an additional layer of security protection on top of the identity credentials for an account.
String Specifies the resource ID. name String Specifies the resource name. provider String Specifies the cloud service name. type String Specifies the cloud resource type. region_id String Specifies the ID of the region where the resource is located. project_id String Specifies the IAM
For example, IAM is not supposed to report secret access keys (SKs) to Config, and Config will not display SK data. Why Some Tags Cannot Be Used to Perform Operations (For Example, Filtering Resources) on Config?
Resource Tag Permissions API Action Dependencies IAM Project Enterprise Project Listing resources POST /v1/resource-manager/{resource_type}/resource-instances/filter rms:resources:listResourcesByTag - √ x Querying the number of resources POST /v1/resource-manager/{resource_type}/resource-instances
For example: All IAM user names must start with hw_user_. All ECSs that are tagged by prod must have "Do-Not-Delete" in their names. Solution Name resources in compliance with a convention to facilitate routine resource management.
Advanced Queries Permissions API Action IAM Project Enterprise Project Running advanced queries POST /v1/resource-manager/domains/{domain_id}/run-query rms:resources:runQuery √ x Creating an advanced query POST /v1/resource-manager/domains/{domain_id}/stored-queries rms:storedQueries
Compliance Permission API Action Dependencies IAM Project Enterprise Project Querying all built-in policies GET /v1/resource-manager/policy-definitions rms:policyDefinitions:get - √ x Querying a built-in policy GET /v1/resource-manager/policy-definitions/{policy_definition_id} rms
1667374060248, "evaluation_hash" : "89342b8f338165651991afb8bd471396" } Example Responses Status code: 200 Operation succeeded. { "domain_id" : "d0123456789", "region_id" : "global", "resource_id" : "abc0123456789", "resource_name" : "test_user", "resource_provider" : "iam
Guideline Description Rule Solution I-2 Depending on the cloud deployment model adopted, these may include multi-tenancy risks, as well as those concerning concentration risk and supply chain risks more generally. iam-group-has-users-check Assign different permissions to IAM users
For details about how to obtain an account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
