Using IAM Roles or Policies to Grant Access to CFW

If you want to manage the permissions of roles and policies in CFW, you can use Identity and Access Management (IAM). IAM allows you to:

Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to CFW resources.
Grant only the permissions required for users to perform a specific task.
Entrust a Huawei Cloud account or a cloud service to perform professional and efficient O&M on your CFW resources.

If your Huawei Cloud account does not require individual IAM users, skip this section.

Figure 1 shows the process flow of role/policy-based authorization.

Prerequisites

Before granting permissions to user groups, learn about system permissions in role-based authorization for CFW. For details about all the permissions supported by IAM, see Permissions.

Authorization Process

Figure 1 Process for granting CFW permissions
Click to enlarge

Create a user group and grant permissions.
Create a user group on the IAM console and assign the CFW ReadOnlyAccess policy to the group.
Create a user and add the user to a user group.
Create a user on the IAM console and add the user to the group created in 1.
Log in as an IAM user and verify permissions.
Log in to the CFW console as the created user, and verify that the user only has read permissions for CFW.
- Choose Cloud Firewall in the service list. Click Buy CFW on the CFW console. If you cannot buy CFW (assuming that only the CFW ReadOnlyAccess permission is granted), the CFW ReadOnlyAccess policy has already taken effect.
- Choose a service other than CFW in the service list. If a message appears indicating that you have insufficient permissions to access the service (assuming that only the CFW ReadOnlyAccess permission is granted), the CFW ReadOnlyAccess policy has already taken effect.

Example Custom Policies

You can create custom policies to supplement the system-defined policies of CFW. Add actions in custom policies as needed. For details about supported actions, see Actions Supported by Policy-based Authorization.

You can create custom policies in either of the following ways:

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Create a policy in JSON format or edit the JSON strings of an existing policy.

For details, see Creating a Custom Policy. The following provides examples of custom CFW policies.

Example 1: Allowing users to create a CFW instance

       
            {        "Version": "1.1",        "Statement": [                {                        "Effect": "Allow",                        "Action": [                                "cfw:instance:create"                                                       ]                }        ]}

Example 2: Not allowing users to remove items from a blacklist or whitelist

A deny policy must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

The following method can be used if you need to assign permissions of the CFW FullAccess policy to a user but also forbid the user from deleting whitelist/blacklist items (cfw:blackWhite:delete). Create a custom policy with the action to delete web tamper protection rules, set its Effect to Deny, and assign both this policy and the CFW FullAccess policy to the group the user belongs to. Then the user can perform all operations on CFW except deleting items from a blacklist or whitelist. Example:

       
            {        "Version": "1.1",        "Statement": [                {                        "Effect": "Deny",                        "Action": [                                "cfw:blackWhite:delete"                                                        ]                },        ]}

Multi-action policy

A custom policy can contain the actions of multiple protect-level services. The following is a policy with multiple statements:

       
            {        "Version": "1.1",        "Statement": [                {                        "Effect": "Allow",                        "Action": [                                "cfw:instance:get",                                "cfw:eipStatistics:get"                        ]                },               {                        "Effect": "Allow",                        "Action": [                                "hss:hosts:switchVersion",                                "hss:hosts:manualDetect",                                "hss:manualDetectStatus:get"                        ]                }        ]}