检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
For example, IAM is not supposed to report secret access keys (SKs) to Config, and Config will not display SK data. Why Some Tags Cannot Be Used to Perform Operations (For Example, Filtering Resources) on Config?
For example: All IAM user names must start with hw_user_. All ECSs that are tagged by prod must have "Do-Not-Delete" in their names. Solution Name resources in compliance with a convention to facilitate routine resource management.
Advanced Queries Permissions API Action IAM Project Enterprise Project Running advanced queries POST /v1/resource-manager/domains/{domain_id}/run-query rms:resources:runQuery √ x Creating an advanced query POST /v1/resource-manager/domains/{domain_id}/stored-queries rms:storedQueries
Compliance Permission API Action Dependencies IAM Project Enterprise Project Querying all built-in policies GET /v1/resource-manager/policy-definitions rms:policyDefinitions:get - √ x Querying a built-in policy GET /v1/resource-manager/policy-definitions/{policy_definition_id} rms
Guideline Description Rule Solution I-2 Depending on the cloud deployment model adopted, these may include multi-tenancy risks, as well as those concerning concentration risk and supply chain risks more generally. iam-group-has-users-check Assign different permissions to IAM users
For details about how to obtain an account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
{Endpoint} is the IAM endpoint and can be obtained from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
For example, a resource attribute can be the number of CPU cores of an ECS, the capacity of an EVS disk, or the password strength of an IAM user. For more details, see How Can I Obtain Resource Attributes Reported to Config?.
Table 3 resource Parameter Type Description id String Resource ID. name String Resource name. provider String Cloud service name. type String Resource type. region_id String The ID of the region where the resource resides. project_id String IAM project ID. project_name String IAM
resourceHistoryRequest).toString()); } catch (ConnectionException | RequestTimeoutException | ServiceResponseException ex) { System.out.println(ex); } } } Response class ShowResourceDetailResponse { id: 81fi****a864 name: zh****ng provider: iam
This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. iam-policy-no-statements-with-admin-access Grant IAM users only necessary permissions to perform required operations to ensure compliance with the least privilege
Set Function Type to Event Function and configure other parameters, including the function name and IAM agency. The agency grants the function required permissions and must include the rms:policyStates:update permission. Click Create Function.
Resource Query Permission API Action IAM Project Enterprise Project Querying change records of a resource GET /v1/resource-manager/domains/{domain_id}/resources/{resource_id}/history rms:resources:getHistory √ x Querying resource relationships GET /v1/resource-manager/domains/{domain_id
For details about how to obtain the ID, see Obtaining Account, IAM User, and Project Information. log_group_id: log group ID. For details about how to obtain the ID, see Managing Log Groups. log_topic_id: log stream ID.
type = string } variable "ConfigAgencyName" { description = "Specifies the IAM agency name which must include permissions for sending notifications through SMN and for writing data into OBS."
Authorization Information Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.
If you select Custom granting to customize authorization for the resource recorder, you need to create an agency with IAM, and the agency must include either the permissions for sending notifications using an SMN topic or the permissions for writing data into an OBS bucket based on
If you want to use a template in your OBS bucket to create a conformance package, configure a proper IAM policy and an OBS bucket policy to ensure that the template can be accessed.
Conformance Packages Permissions API Action Dependencies IAM Project Enterprise Project Creating conformance packages POST /v1/resource-manager/domains/{domain_id}/conformance-packs rms:conformancePacks:create rf:stack:createStack rf:stack:getStackMetadata rf:stack:listStackResources
Password authentication must be used. iam-user-mfa-enabled Enable MFA for all IAM users. MFA provides an additional layer of protection in addition to the username and password. 8.1.4.7 a.
