检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
With this rule, you can detect IAM policies that allow blocked actions on KMS keys to prevent unintended data encryption and decryption. Solution You can modify noncompliant IAM policies based on the evaluation results.
All IAM Roles Are in Use Rule Details Table 1 Rule details Parameter Description Rule Name iam-role-in-use Identifier iam-role-in-use Description If an IAM role has not been attached to any IAM users, user groups, or agencies, this role is noncompliant.
All IAM Policies Are in Use Rule Details Table 1 Rule details Parameter Description Rule Name iam-policy-in-use Identifier iam-policy-in-use Description If an IAM policy has not been attached to any IAM users, user groups, or agencies, this policy is noncompliant.
If an enabled IAM user has been added to at least one user group, and no user groups are specified, this IAM user is compliant. If an enabled IAM user has not been added to any user groups, and no user groups are specified, this IAM user is noncompliant.
For more details, see Authorizing IAM Users to Manage Resources of an Account. Rule Logic If an IAM agency does not contain all the specified policies and roles, this agency is noncompliant.
Rule Logic If an IAM user has any directly assigned policies or permissions, the IAM user is noncompliant. If an IAM user does not have directly assigned policies or permissions, the IAM user is compliant. Parent topic: Identity and Access Management
ECSs Have IAM Agencies Attached Rule Details Table 1 Rule details Parameter Description Rule Name ecs-instance-agency-attach-iam-agency Identifier ecs-instance-agency-attach-iam-agency Description If an ECS does not have any IAM agencies attached, this ECS is noncompliant.
To perform these operations, you need related IAM agencies. The following lists the details. To create IAM agencies, you need the iam:agencies:createAgency and iam:permissions:grantRoleToAgency permissions.
Tag iam Trigger Type Configuration change Filter Type iam.roles, iam.policies Configure Rule Parameters None Applicable Scenario This rule allows you to ensure that your IAM users or agencies do not have unintended permissions attached.
You can use bucket policies to control the access of IAM users or other account to your OBS buckets. You are advised to apply the least privilege principle to ensure that a bucket policy only grants necessary permissions for certain tasks.
Rule Logic If an IAM user is in the disabled state, this user is compliant. If an IAM user that is in the enabled state has only one active access key, this IAM user is compliant.
An IAM policy with the action element set to *:*:*, *:*, or * is of high security risk. Solution The administrator can modify noncompliant IAM policies or roles. For more details, see Modifying or Deleting a Custom Policy.
Applicable Scenario This rule allows you to ensure that only intended permissions are assigned to an IAM user, a user group, or an IAM agency. For more details, see Grant Least Privilege.
For details about the differences between IAM and enterprise projects, see What Are the Differences Between IAM and Enterprise Management?
Applicable Scenario This rule helps you identify idle IAM users to improve account security Solution You can use noncompliant IAM users to log in to Huawei Cloud console or delete these users as needed. For more details, see Logging In as an IAM User and Deleting an IAM User.
IAM is a global service. You can create an IAM user using the endpoint of IAM in any region.
An IAM user needs to have the rms:resources:getRelation permissions to call this API. Resource relationships depend on enabling resource recorder. Calling Method For details, see Calling APIs.
Solution You can allow IAM users to access cloud services either using programmatic methods or through the console. Ensure that an IAM user does not have both a password and an access key. Rule Logic If an IAM user is disabled, this user is compliant.
Solution You can enable login protection for the noncompliant IAM users. For more details, see Login Protection. Rule Logic If an IAM user is in the disabled state, this user is compliant. If an IAM user that is enabled has MFA enabled, this user is compliant.
Solution You can delete access keys for noncompliant IAM users. Rule Logic If an IAM user is disabled, this user is compliant. If an IAM user is not allowed to access the management console, this user is compliant.
