Evaluating Resource Compliance
Scenario
You can create a rule to evaluate your resource compliance. When creating a rule, you need to select a built-in policy or a custom policy, specify a monitoring scope, and specify the trigger. After the evaluation, you can check the evaluation results.
This section uses the built-in policy for IAM user Last Login Check as an example to describe how to detect inactive IAM users. This policy can help reduce idle users and password leakage risks for enhanced account security.
Preparations
- If you already have a Huawei account, skip this step. If you do not have one, follow the following steps to create one:
- Go to Huawei Cloud and click Sign Up.
- Sign up for a Huawei account and enable Huawei Cloud services.
After your account is created, you will be directed to your personal information page.
- Complete real-name authentication by following the instructions in Individual Real-Name Authentication or Enterprise Real-Name Authentication.
- Top up your account.
Config is free of charge, but the SMN topic and the OBS bucket that you configured for the resource recorder will be charged. For details, see SMN billing and OBS billing.
Ensure your account has sufficient balance to avoid unavailability of the resource recorder and other functions of Config. For more details, see Topping up an Account.
- Enabling the Resource Recorder
The resource recorder must be enabled for adding, modifying, enabling, or triggering a rule. If the resource recorder is disabled, you can only view, disable, and delete rules. In addition, only resources within the monitoring scope of the resource recorder can be evaluated by Config rules, so you are advised to select all your resources when you configure the resource recorder.
Step 1: Add a Rule
The following steps are only for reference. For details about all the parameters, see section Adding a Rule Based on a Built-in Policy.
- Log in to the Config console.
- In the navigation pane on the left, choose Resource Conformance.
- On the Rules tab, click Add Rule.
- On the Basic Configurations page, select the built-in policy Last Login Check and click Next.
- On the Configure Rule Parameters page, configure required parameters based on the following picture and click Next.
Parameter
Example
Description
Execute Every
24 hours
How often a rule will be triggered.
The rule will be periodically triggered at the configured frequency.
Available options: 1 hour, 3 hours, 6 hours, 12 hours, 24 hours.
Resource Scope
All
The region where your resources are deployed.
Only resources in the specified region will be evaluated.
Configure Rule Parameters
90
Number of days during which an IAM user has not logged in the system. The default value is 90.
If an IAM user does not log in to the system within the specified period of time, this user is non-compliant.
- On the Confirm page, confirm the rule information and click Submit.
After you add a rule, the first evaluation is automatically triggered immediately.
Step 2: View evaluation results.
- On the Rules tab of the Resource Conformance page, click the name of the rule that was added in Step 1.
- View evaluation results and rule details on the Basic Information tab.
By default, non-compliant resources are displayed. Above the list, you can filter the resources by evaluation result, resource name, and resource ID. You can also export all evaluation results.
IAM users who do not log in to the management console within 90 days are considered non-compliant. You can make adjustments on these users as needed.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
