检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
user password strength. 4.1 access-keys-rotated Enable key rotation. 4.2 iam-user-mfa-enabled Enable MFA for all IAM users to prevent account theft. 4.2 mfa-enabled-for-iam-console-access Enable MFA for all IAM users who can access Huawei Cloud management console.
This section uses the built-in policy for IAM user Last Login Check as an example to describe how to detect inactive IAM users. This policy can help reduce idle users and password leakage risks for enhanced account security.
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account through IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
Tag iam Trigger Type Periodic Filter Type Account Rule Parameters None Application Scenarios To enhance account security, you are advised to only use the password to log in to the console. Do not create access keys for your root user.
If the message "Failed to write the ConfigWritabilityCheckFile file to the OBS bucket because the OBS bucket or the IAM agency is invalid" is displayed, the possible reasons are as follows: The IAM agency assigned to the resource recorder does not contain the permission, obs:object
Configuring the Resource Recorder When creating a conformance package, you can use IAM for custom authorization.
C.CS.FOUNDATION.G_1.R_14 Ensuring that no iam policy is created to allow the *:* permissions iam-policy-no-statements-with-admin-access iam If a custom policy or role allows all actions (with the action element set to *:*:*, *:*, or *) for all cloud services, this policy or role is
For details about the relationship between IAM identities and operators and the operator username format, see Relationship Between IAM Identities and Operators.
Applicable Scenario This example uses the access-keys-rotated rule to see if all IAM users in an account have their access keys rotated within a specified time. Some IAM users may be detected noncompliant as shown in the following picture. Step 1: Create a Rule.
IAM Agency: When you select the automatic method and an RFS template, an IAM agency is required to grant the permissions for RFS to deploy resource stacks and modify resource configurations.
Check Image Check by Tag Security Group Check by ID Number of ECS vCPUs ECS Instances Are in the Specified VPC ECSs Have Key Pairs Attached ECS Memory Size ECSs Cannot Be Accessed Through Public Networks ECS Status Check An ECS Must Have No More Than One EIP Idle ECS Check ECSs Have IAM
Resource Recorder Permission API Action IAM Project Enterprise Project Querying the resource recorder GET /v1/resource-manager/domains/{domain_id}/tracker-config rms:trackerConfig:get √ x Creating or modifying the resource recorder PUT /v1/resource-manager/domains/{domain_id}/tracker-config
Table 4 resource Parameter Type Description id String Resource ID. name String Resource name. provider String Service name. type String Resource type. region_id String The ID of the region where the resource resides. project_id String IAM project ID. project_name String IAM project
evs If a mounted EVS disk is not encrypted, this disk is noncompliant. ecs-attached-hss-agents-check ecs If an ECS does not have an HSS agent installed or the protection mode enabled, this ECS is noncompliant. ecs-instance-agency-attach-iam-agency ecs If an ECS does not have any IAM
Certificate & Manager Distributed Message Service for Kafka Distributed Message Service for RabbitMQ Distributed Message Service for RocketMQ Organizations Cloud Firewall Cloud Backup and Recovery Object Storage Service Image Management Service Bare Metal Server Graph Engine Service IAM
for all non-console access into the CDE for personnel with administrative access. iam-user-mfa-enabled Enable MFA for all IAM users.
Policies Are in Use Configuration change iam.policies All IAM Roles Are in Use Configuration change iam.roles Login Protection Check Periodic iam.users IAM Agencies Contain Specified Policies Configuration change iam.agencies The Admin User Group Only Contains the Root User Configuration
Tag iam Trigger Type Periodic Filter Type Account Configure Rule Parameters None Applicable Scenario Multi-factor authentication (MFA) adds an additional layer of security protection on top of the identity credentials for an account.
Resource Tag Permission API Action Dependencies IAM Project Enterprise Project Listing resources POST /v1/resource-manager/{resource_type}/resource-instances/filter rms::listResourcesByTag - √ x Querying the number of resources POST /v1/resource-manager/{resource_type}/resource-instances
String Specifies the resource ID. name String Specifies the resource name. provider String Specifies the cloud service name. type String Specifies the cloud resource type. region_id String Specifies the ID of the region where the resource is located. project_id String Specifies the IAM
