检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
All IAM Policies Are in Use Rule Details Table 1 Rule details Parameter Description Rule Name iam-policy-in-use Identifier iam-policy-in-use Description If an IAM policy has not been attached to any IAM users, user groups, or agencies, this policy is noncompliant.
All IAM Roles Are in Use Rule Details Table 1 Rule details Parameter Description Rule Name iam-role-in-use Identifier iam-role-in-use Description If an IAM role has not been attached to any IAM users, user groups, or agencies, this role is noncompliant.
If an enabled IAM user has been added to at least one user group, and no user groups are specified, this IAM user is compliant. If an enabled IAM user has not been added to any user groups, and no user groups are specified, this IAM user is noncompliant.
For more details, see Authorizing IAM Users to Manage Resources of an Account. Rule Logic If an IAM agency does not contain all the specified policies and roles, this agency is noncompliant.
ECSs Have IAM Agencies Attached Rule Details Table 1 Rule details Parameter Description Rule Name ecs-instance-agency-attach-iam-agency Identifier ecs-instance-agency-attach-iam-agency Description If an ECS does not have any IAM agencies attached, this ECS is noncompliant.
Rule Logic If an IAM policy or role does not allow the specified blocked actions on KMS keys, this policy or role is compliant. If an IAM policy or role allows the specified blocked actions on KMS keys, this policy or role is noncompliant.
IAM is a global service. You can create an IAM user using the endpoint of IAM in any region.
Tag iam Trigger Type Configuration change Filter Type iam.roles, iam.policies Configure Rule Parameters None Applicable Scenario This rule allows you to ensure that your IAM users or agencies do not have unintended permissions attached.
Applicable Scenario This rule helps you identify idle IAM users to improve account security Solution You can use noncompliant IAM users to log in to Huawei Cloud console or delete these users as needed. For more details, see Logging In as an IAM User and Deleting an IAM User.
For details about the differences between IAM and enterprise projects, see What Are the Differences Between IAM and Enterprise Management?
Applicable Scenario This rule allows you to ensure that only intended permissions are assigned to an IAM user, a user group, or an IAM agency. For more details, see Grant Least Privilege.
Rule Logic If an IAM user is in the disabled state, this user is compliant. If an IAM user that is in the enabled state has only one active access key, this IAM user is compliant.
An IAM policy with the action element set to *:*:*, *:*, or * is of high security risk. Solution The administrator can modify noncompliant IAM policies or roles. For more details, see Modifying or Deleting a Custom Policy.
Solution You can enable login protection for the noncompliant IAM users. For more details, see Login Protection. Rule Logic If an IAM user is in the disabled state, this user is compliant. If an IAM user that is enabled has MFA enabled, this user is compliant.
Tag iam Trigger Type Configuration change Filter Type iam.users Configure Rule Parameters None Applicable Scenario This rule ensures that an IAM user cannot access cloud services through both the console and APIs.
To perform these operations, you need related IAM agencies. The following lists the details. To create IAM agencies, you need the iam:agencies:createAgency and iam:permissions:grantRoleToAgency permissions.
Solution You can delete access keys for noncompliant IAM users. Rule Logic If an IAM user is disabled, this user is noncompliant. If an IAM user is not allowed to access the management console, this user is compliant.
An IAM user needs to have the rms:resources:getRelation permissions to call this API. Resource relationships depend on enabling resource recorder. Calling Method For details, see Calling APIs.
iam If an IAM user who is allowed to access Huawei Cloud console has AK/SK created, this user is noncompliant. iam-user-group-membership-check iam If an IAM user is not in any of the specified IAM user groups, this user is noncompliant. iam-user-last-login-check iam If an IAM user
If an IAM user group has no user, this user group is noncompliant. iam-password-policy iam If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant. iam-root-access-key-check iam If the root user access key is available, this
