Help Center/ Host Security Service/ User Guide/ Granting Permissions on Associated Cloud Services
Updated on 2024-09-25 GMT+08:00

Granting Permissions on Associated Cloud Services

Scenario

Some HSS functions depend on other cloud services. To use these functions, you need to assign HSS the permissions for the cloud service resources.

When you log in to the HSS console, HSS automatically requests the permissions to access other cloud service resources in the current region. After you assign the permissions, HSS will automatically create an agency named hss_policy_trust in IAM, which grants HSS the operation permissions on other cloud service resources in your account. For details, see Cloud Service Delegation.

Table 1 describes the cloud service resource permissions that HSS needs you to assign.
Table 1 Required permissions on other cloud service resources

Function

Required Permission

Cloud Service Permission

Usage

Permission

Action

Container audit (image repository audit)

CTSOperatePolicy

Query audit events

cts:trace:list

Obtain image operation logs (CTS logs of SWR).

Installation and configuration on servers

VPCOperatePolicy

Create a port

vpc:ports:create

Create network interface cards (NICs) and modify security groups to ensure that the port used for installing the agent is accessible.

Delete a port

vpc:ports:delete

Create a security group rule

vpc:securityGroupRules:create

Delete a security group rule

vpc:securityGroupRules:delete

Query ports or details about a port

vpc:ports:get

Query networks or details about a network

vpc:networks:get

Query subnets or details about a subnet

vpc:subnets:get

VPCEPOperatePolicy

Create an endpoint

vpcep:endpoints:create

Maintain the network channel Between the agent and the HSS cloud protection center (master).

Query endpoints

vpcep:endpoints:list

Delete a VPC endpoint

vpcep:endpoints:delete

Installation and configuration on containers

CCEOperatePolicy

Query Cluster Information

cce:cluster:get

Manage the lifecycle of HSS-Daemonset and Configmap in a CCE cluster.

Query Clusters in a Project

cce:cluster:list

Query Agencies Based on Specified Conditions

iam:agencies:listAgencies

Prerequisites

To let an IAM user perform operations, assign the Security Administrator system roleto the user..

Assigning Cloud Service Resource Permissions

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  1. In the navigation pane, choose Installation & Configuration > Permissions Management.
  2. Click Assign. The Assign dialog box is displayed.

    Figure 1 Assigning permissions

  3. Select permissions and click OK.

    The Container Audit, Server Install & Config, and Container Install & Config pages cannot work properly if required permissions are not assigned. You can click Assign in the reminder on the top of the pages to assign permissions.

Deleting Cloud Service Resource Permissions

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane, choose Installation & Configuration > Permissions Management.
  4. Locate a permission and click Remove in the Operation column. The Remove Permissions dialog box is displayed.

    Alternatively, select multiple permissions and click Remove above the list.

    Figure 2 Removing permissions

  5. Confirm the permission information, enter DELETE in the dialog box, and click OK.

    If the permission is no longer displayed in the permission list, it indicates the permission has been removed.