CFW Permissions and Supported Actions
This topic describes fine-grained permissions management for your CFW instances. If your Huawei Cloud account does not need individual IAM users, then you may skip over this section.
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.
If the peak TPS is greater than 2000, local authentication is required.
Supported Actions
CFW provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control.
- Permission: A statement in a policy that allows or denies certain operations.
- Action: Specific operations that are allowed or denied.
Permission |
Action |
---|---|
Create a cloud firewall |
cfw:instance:create |
Add CFW capacity |
cfw:instance:alterSpec |
Delete a cloud firewall |
cfw:instance:delete |
Query a cloud firewall |
cfw:instance:get |
Query the cloud firewall list |
cfw:instance:list |
Enable or disable EIP protection |
cfw:eip:operate |
Query the EIP list |
cfw:eip:list |
Query EIP statistics |
cfw:eipStatistics:get |
Query policy statistics |
cfw:policyStatistics:get |
Create an ACL rule |
cfw:acl:create |
Modify an ACL rule |
cfw:acl:put |
Delete an ACL rule |
cfw:acl:delete |
Query the ACL rule list |
cfw:acl:list |
Configure ACL rule priority |
cfw:acl:setPriority |
Create a blacklist or whitelist |
cfw:blackWhite:create |
Modify a blacklist or whitelist |
cfw:blackWhite:put |
Delete a blacklist or whitelist |
cfw:blackWhite:delete |
Query a blacklist or whitelist |
cfw:blackWhite:list |
Create an IP address group |
cfw:ipGroup:create |
Modify an IP address group |
cfw:ipGroup:put |
Delete an IP address group |
cfw:ipGroup:delete |
Query the IP address group list |
cfw:ipGroup:list |
Query the details of an IP address group |
cfw:ipGroup:get |
Add a member to an IP address group |
cfw:ipMember:create |
Update a member in an IP address group. |
cfw:ipMember:put |
Delete a member from an IP address group |
cfw:ipMember:delete |
Query IP address group members |
cfw:ipMember:list |
Create a service group |
cfw:serviceGroup:create |
Modify a service group |
cfw:serviceGroup:put |
Delete a service group |
cfw:serviceGroup:delete |
Query the details about a service group |
cfw:serviceGroup:get |
Query the service group list |
cfw:serviceGroup:list |
Add a member to a service group |
cfw:serviceMember:create |
Update a member in a service group |
cfw:serviceMember:put |
Delete a member from a service group |
cfw:serviceMember:delete |
Query service group members |
cfw:serviceMember:list |
Query the ACL log list |
cfw:accessControlLog:list |
Query the traffic log list |
cfw:flowLog:list |
Query the attack log list |
cfw:attackLog:list |
Query the traffic log report |
cfw:flowLogReport:get |
Query the ACL log report |
cfw:accessControlLogReport:get |
Query the ACL log report |
cfw:attackLogReport:get |
Enable basic protection |
cfw:ips:start |
Disable basic protection |
cfw:ips:stop |
Query basic protection status |
cfw:ipsStatus:get |
Configure the IPS mode |
cfw:ipsMode:operate |
Query the IPS mode |
cfw:ipsMode:get |
Create a packet capture task |
cfw:captureTask:create |
Query the packet capture task list |
cfw:captureTask:list |
Batch delete packet capture tasks |
cfw:captureTask:delete |
Stop a packet capture task |
cfw:captureTask:stop |
Download packet capture results |
cfw:captureTask:getResult |
Query CFW instance resources |
cfw:resource:list |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot