Adding a Denylist

Scenario

You can configure a denylist for untrusted visitors. A denylist can be configured by application, account, and client IP address. Access requests that match a denylist will be directly blocked, and the risk severity level of the corresponding audit logs will be marked as Illegal.

For example, for application demo, if the client IP address 172.xx.xx.28 is untrusted, you can add a denylist to block all access from this IP address.

The following describes how to add a denylist.

Procedure

Log in to the web console of the API data security protection system as user sysadmin.
In the navigation pane on the left, choose Security Policies > Access Control.

Click the Denylist tab, click Add, and set rule parameters. For details about related parameters, see Table 1.

Figure 1 Adding a denylist

**Table 1** Parameters for adding a denylist
Parameter	Description
Rule Name	Name of the rule.
Description	Rule description.
Service Name	Select the application to which the rule applies.
Rule Conditions	Configure the rule conditions, including the URL, client IP address, region, account, and account group.
Enabled/Disabled	Enable or disable the denylist. : The rule is enabled so it will take effect immediately after being added. : The rule is disabled so it does not takes effect unless you enable it.

Click Add.

Operation Results

An access request that matches the denylist will be blocked. In the log management, the risk severity level of the access request will be marked as Illegal. All these indicate that the rule works.

Related Operations

On the Denylist tab, you can also perform the following actions:

To edit a denylist, locate it and click Edit on the right.
To delete a denylist, locate it and click Delete on the right.
To delete several denylists, select them all and click Delete in the upper right corner.
To enable several denylists, select them all and click Enable in the upper right corner.
To disable several denylists, select them all and click Disable in the upper right corner.