Enabling CTS
CTS records operations performed on cloud resources in your account. The operation logs can be used to perform security analysis, track resource changes, perform compliance audits, and locate faults.
It is recommended that you enable the CTS service to record key IAM operations, such as creating and deleting users.
Procedure
- Log in to the management console.
- If you log in to Huawei Cloud using an account, go to 3. If you log in as an IAM user, request the administrator to grant you the following permissions:
- Security Administrator
- CTS FullAccess
For details, see Assigning Permissions to an IAM User.
- Choose Service List > Management & Deployment > Cloud Trace Service.
- On the displayed authorization page, click Enable and Authorize.
- When using CTS, you must have the required permissions for relevant operations, but do not need to be granted the Security Administrator role again.
- After you enable CTS, the system automatically creates two trackers to record management traces, that is, operations (such as creation, login, and deletion) performed on all cloud resources.
- In the current region, a tracker is created to record management traces of all project-level services deployed in this region.
- In the EU-Dublin region, a tracker is created to record management traces of all global services, such as IAM.
Operation |
Resource Type |
Trace Name |
---|---|---|
User login |
user |
login |
User login failed (Account login failures not included) |
user |
loginFailed |
User logout |
user |
logout |
Login using a QR code |
user |
scanQRCodeLogin |
Login using a QR code failed |
user |
scanQRCodeLoginFailed |
Login via OpenID succeeded |
user |
oidcLoginSuccess |
Login via OpenID Connect failed |
user |
oidcLoginFailed |
Login via SSO succeeded |
user |
iamUserSsoLoginSuccess |
Login via SSO failed |
user |
iamUserSsoLoginFailed |
Resetting the password |
user |
fpwdResetSuccess |
Creating an IAM user |
user |
createUser |
Changing the email address or mobile number |
user |
updateUser |
Deleting a user |
user |
deleteUser |
Changing the password |
user |
updateUserPwd |
Setting a password for a user (by the administrator) |
user |
updateUserPwd |
Modifying login protection of an IAM user |
user |
modifyLoginProtect |
Changing the mobile number using an email |
user |
changeMobileByEmail |
Changing the password using an email |
user |
updateUserPwdByEmail |
Initial federated login succeeded |
user |
tenantLoginBySamlSuccess |
Federated login using a custom identity broker succeeded |
user |
federationLoginNoPwdSuccess |
Federated login using a custom identity broker failed |
user |
federationLoginNoPwdFailed |
Creating a user group |
userGroup |
createGroup |
Modifying a user group |
userGroup |
updateGroup |
Deleting a user group |
userGroup |
deleteGroup |
Adding users to a user group |
userGroup |
addUserToGroup |
Removing users from a user group |
userGroup |
removeUserFromGroup |
Unbinding a virtual MFA device |
MFA |
UnBindMFA |
Binding a virtual MFA device |
MFA |
BindMFA |
Creating a project |
project |
createProject |
Modifying a project |
project |
updateProject |
Deleting a project |
project |
deleteProject |
Creating an agency |
agency |
createAgency |
Modifying an agency |
agency |
updateAgency |
Deleting an agency |
agency |
deleteAgency |
Switching an agency |
agency |
switchRole |
Assigning all project permissions to an agency |
agency |
updateAgencyInheritedGrants |
Revoking all project permissions from an agency |
agency |
deleteAgencyInheritedGrants |
Assigning global service permissions to an agency |
agency |
updateAgencyAssignsByRole |
Assigning global service permissions to an agency (API) |
roleAgencyDomain |
assignRoleToAgencyOnDomain |
Updating agency permissions |
agency |
updateAgencyAssignsByRole |
Registering an identity provider |
identityProvider |
createIdentityProvider |
Modifying an identity provider |
identityProvider |
updateIdentityProvider |
Deleting an identity provider |
identityProvider |
deleteIdentityProvider |
Updating an identity conversion rule |
identityProvider |
updateMapping |
Updating the identity provider metadata |
identityProvider |
metadataConfiguration |
Manually editing metadata of a preset IdP |
identityProvider |
metadataConfiguration |
Registering a mapping |
mapping |
createMapping |
Updating a mapping |
mapping |
updateMapping |
Deleting a mapping |
mapping |
deleteMapping |
Registering a protocol |
identityProvider |
createProtocol |
Updating a protocol |
identityProvider |
updateProtocol |
Deleting a protocol |
identityProvider |
deleteProtocol |
Revoking global service permissions from an agency |
roleAgencyDomain |
unassignRoleToAgencyOnDomain |
Assigning project permissions to an agency |
roleAgencyProject |
assignRoleToAgencyOnProject |
Revoking project permissions from an agency |
roleAgencyProject |
unassignRoleToAgencyOnProject |
Modifying the login authentication policy |
SecurityPolicy |
modifySecurityPolicy |
Modifying the password policy |
SecurityPolicy |
modifySecurityPolicy |
Modifying the ACL |
SecurityPolicy |
modifySecurityPolicy |
Modifying the login authentication policy |
loginpolicy |
securitypolicy |
Modifying the password policy |
passwordpolicy |
securitypolicy |
Modifying the ACL |
acl |
securitypolicy |
Creating an account |
domain |
createDomain |
Update an account |
domain |
updateDomain |
Delete an account |
domain |
deleteDomain |
Logging failed via OpenID Connect |
domain |
oidcLoginFailed |
Creating a custom policy |
Policy |
createRole |
Modifying a custom policy |
Policy |
updateRole |
Deleting a custom policy |
Policy |
deleteRole |
Assigning global service permissions to a user group (API) |
assignment |
createAssignment |
Assigning global service permissions to a user group |
group |
updateGroupAssignsByRole |
Revoking global service permissions from a user group |
assignment |
deleteAssignment |
Creating a permanent AK/SK |
credential |
createCredential |
Updating a permanent access key (AK/SK) |
credential |
updateCredential |
Deleting a permanent access key (AK/SK) |
credential |
deleteCredential |
Disabling or enabling an access key (AK/SK) |
credential |
updateCredential |
Assigning permissions to users or enterprise projects |
assignment |
grantRoleToUserOnEnterpriseProject |
Revoking permissions from users or enterprise projects |
enterpriseProject |
revokeRoleFromUserOnEnterpriseProject |
Updating user group permissions for enterprise projects |
enterpriseProject |
updateRoleFromGroupOnEnterpriseProject |
Creating a user group |
group |
createGroup |
Deleting a user group |
group |
deleteGroup |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.