Updated on 2025-08-25 GMT+08:00

ECSs Have IAM Agencies Attached

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

ecs-instance-agency-attach-iam-agency

Identifier

ECSs Have IAM Agencies Attached

Description

If an ECS does not have any IAM agencies attached, this ECS is non-compliant.

Tag

ecs

Trigger Type

Configuration change

Filter Type

ecs.cloudservers

Rule Parameters

None

Application Scenarios

An agency is created by the tenant administrator in IAM and provides a temporary credential for an ECS to access cloud services. You can determine whether to use an agency based on application scenarios and security requirements.

The advantages of using an agency are as follows:

  • Minimum permissions: IAM agencies ensure that only the minimum permissions required to complete a task are granted.
  • Simplified management: IAM agencies can be dynamically assigned, eliminating the need to manually manage credentials.
  • Enhanced security: IAM agencies provide temporary security credentials, reducing the risk of credential leakage.
  • Flexibility: Different tasks can use different IAM agencies, meeting diversified requirements.

The disadvantages of using an agency are as follows:

  • Complex configuration: Configuring and managing IAM agencies can be complex, especially when fine-grained permissions control is required.
  • Incorrect configuration: Incorrect IAM policies may prevent tasks from accessing required resources.
  • Unauthorized access: Improper IAM agency configuration may cause unauthorized access or security vulnerabilities.

You are advised to use this rule only in the following scenarios:

  • Multi-task environment: Tasks require different permissions.
  • High security requirements: IAM agencies are required for managing permissions on sensitive data to meet high security requirements.
  • Cross-service access: Tasks need to access other Huawei Cloud services, such as OBS and RDS.

Solution

Configure appropriate IAM agencies for your ECSs.

Rule Logic

  • If an ECS has an IAM agency attached, this ECS is compliant.
  • If an ECS does not have any IAM agencies attached, this ECS is non-compliant.