文档首页/ 统一身份认证服务 IAM/ API参考/ 快速入门/ 对IAM用户的权限进行安全审计
更新时间:2024-02-27 GMT+08:00
编辑
查看PDF
分享

对IAM用户的权限进行安全审计

场景描述

企业级用户通常需要对公有云上IAM用户的权限定期进行安全审计,以确定IAM用户的权限未超出规定的范围。例如:除账号和审计员用户以外的所有IAM用户都不应该具有任何IAM的管理权限。此安全审计往往是系统定期自动检查,所以需要使用API来完成。

本章节指导用户如何使用API调用的方式对IAM用户的权限进行安全审计,您可进一步通过编程手段完成定期安全审计工作。

前提条件

审计员对IAM用户的权限进行安全审计时,需要拥有IAM ReadOnlyAccess(推荐)或Security Administrator权限。

总体思路

对IAM用户的权限进行安全审计,步骤如下:

  1. 查询用户组列表;
  2. 查询全局服务中的用户组权限;
  3. 查询项目服务中的用户组权限;
  4. 确定需要审计的权限,查询用户组中的IAM用户,进行安全审计。

涉及的接口如下:

步骤1:查询用户组列表

URI:GET /v3/groups

API文档详情请参见:查询用户组列表

API Explorer在线调试请参见:查询用户组列表

  • 请求示例 
    GET https://iam.myhuaweicloud.com/v3/groups
  • 响应示例 
    {
     "groups":[
         {
             "create_time":1536293929624,
             "description":"IAMDescription",
             "domain_id":"d78cbac186b744899480f25bd022....",
             "id":"5b050baea9db472c88cbae67e8d6....",
             "links":{
                 "self":"https://iam.myhuaweicloud.com/v3/groups/5b050baea9db472c88cbae67e8d6...."
             },
             "name":"IAMGroupA"
         },
         {
             "create_time":1578107542861,
             "description":"IAMDescription",
             "domain_id":"d78cbac186b744899480f25bd022....",
             "id":"07609e7eb200250a3f7dc003cb7a....",
             "links":{
                 "self":"https://iam.myhuaweicloud.com/v3/groups/07609e7eb200250a3f7dc003cb7a...."
             },
             "name":"IAMGroupB"
         }
     ],
     "links":{
         "self":"https://iam.myhuaweicloud.com/v3/groups"
     }
 }

步骤2:查询全局服务中的用户组权限

URI:GET /v3/domains/{domain_id}/groups/{group_id}/roles

API文档详情请参见:查询全局服务中的用户组权限

API Explorer在线调试请参见:查询全局服务中的用户组权限

  • 请求示例 
    GET https://iam.myhuaweicloud.com/v3/domains/{domain_id}/groups/{group_id}/roles
  • 响应示例 
    {
     "links":{
         "self":"https://iam.myhuaweicloud.com/v3/domains/d78cbac186b744899480f25bd022f468/groups/077d71374b8025173f61c003ea0a11ac/roles"
     },
     "roles":[
         {
             "catalog":"CDN",
             "description":"Allow Query Domains",
             "description_cn":"查询域名信息",
             "display_name":"CDN Domain Viewer",
             "flag":"fine_grained",
             "id":"db4259cce0ce47c9903dfdc195eb....",
             "links":{
                 "self":"https://iam.myhuaweicloud.com/v3/roles/db4259cce0ce47c9903dfdc195eb...."
             },
             "name":"system_all_11",
             "policy":{
                 "Statement":[
                     {
                         "Action":[
                             "cdn:configuration:queryDomains",
                             "cdn:configuration:queryOriginServerInfo",
                             "cdn:configuration:queryOriginConfInfo",
                             "cdn:configuration:queryHttpsConf",
                             "cdn:configuration:queryCacheRule",
                             "cdn:configuration:queryReferConf",
                             "cdn:configuration:queryChargeMode",
                             "cdn:configuration:queryCacheHistoryTask",
                             "cdn:configuration:queryIpAcl",
                             "cdn:configuration:queryResponseHeaderList"
                         ],
                         "Effect":"Allow"
                     }
                 ],
                 "Version":"1.1"
             },
             "type":"AX"
         }
     ]
 }

步骤3:查询项目服务中的用户组权限

URI:GET /v3/projects/{project_id}/groups/{group_id}/roles

API文档详情请参见:查询项目服务中的用户组权限

API Explorer在线调试请参见:查询项目服务中的用户组权限

  • 请求示例 
    GET https://iam.myhuaweicloud.com/v3/projects/{project_id}/groups/{group_id}/roles
  • 响应示例 
    {
     "links":{
         "self":"https://iam.myhuaweicloud.com/v3/projects/065a7c66da0010992ff7c0031e5a..../groups/077d71374b8025173f61c003ea0a..../roles"
     },
     "roles":[
         {
             "catalog":"AOM",
             "description":"AOM read only",
             "description_cn":"应用运维管理服务只读权限",
             "display_name":"AOM Viewer",
             "flag":"fine_grained",
             "id":"75cfe22af2b3498d82b655fbb39d....",
             "links":{
                 "self":"https://iam.myhuaweicloud.com/v3/roles/75cfe22af2b3498d82b655fbb39d...."
             },
             "name":"system_all_30",
             "policy":{
                 "Statement":[
                     {
                         "Action":[
                             "aom:*:list",
                             "aom:*:get",
                             "apm:*:list",
                             "apm:*:get"
                         ],
                         "Effect":"Allow"
                     }
                 ],
                 "Version":"1.1"
             },
             "type":"XA"
         }
     ]
 }

步骤4:确定需要审计的权限,查询用户组中的IAM用户,进行安全审计

URI:GET /v3/groups/{group_id}/users

API文档详情请参见:管理员查询用户组所包含的IAM用户

API Explorer在线调试请参见:管理员查询用户组所包含的IAM用户

  • 请求示例 
    GET https://iam.myhuaweicloud.com/v3/groups/{group_id}/users
  • 响应示例 
    {
     "links":{
         "self":"https://iam.myhuaweicloud.com/v3/groups/07609e7eb200250a3f7dc003cb7a..../users"
     },
     "users":[
         {
             "description":"--",
             "domain_id":"d78cbac186b744899480f25bd022....",
             "enabled":true,
             "id":"07609fb9358010e21f7bc003751c....",
             "last_project_id":"065a7c66da0010992ff7c0031e5a....",
             "links":{
                 "self":"https://iam.myhuaweicloud.com/v3/users/07609fb9358010e21f7bc003751c...."
             },
             "name":"IAMUserA",
             "pwd_status":true
         },
         {
             "description":"",
             "domain_id":"d78cbac186b744899480f25bd022....",
             "enabled":true,
             "id":"076837351e80251c1f0fc003afe4....",
             "last_project_id":"065a7c66da0010992ff7c0031e5a....",
             "links":{
                 "self":"https://iam.myhuaweicloud.com/v3/users/076837351e80251c1f0fc003afe4...."
             },
             "name":"IAMUserB",
             "pwd_status":true
         }
     ]
 }
父主题: 快速入门

相关文档