Using IAM Identity Policies to Grant Access to WAF
System-defined permissions in identity policy-based authorization provided by Identity and Access Management (IAM) let you control access to CFW. With IAM, you can:
- Create IAM users or user groups in your Huawei Cloud account for employees based on your organizational structure. Each IAM user will have their own security credentials for accessing WAF resources.
- Grant only the permissions required for users to perform a task.
- Entrust other Huawei Cloud account or cloud service to perform professional and efficient O&M on your WAF resources.
If your Huawei Cloud account meets your permissions requirements, you can skip this section.
This section describes the procedure for identity policy-based authorization, as shown in Figure 1.
Prerequisites
Before granting permissions, learn about the WAF permissions and select them as required. For details, see System-defined Permissions in WAF. For details about all the permissions supported by IAM, see Permissions.
Authorization Process
- On the IAM console, create an IAM user or create a user group.
Log in to the IAM console to create a user or user group.
- Attach a system-defined policy to the user or user group.
Grant the WAFReadOnlyAccessPolicy system-defined policy or identity policy to a user or user group.
- Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- Assume that the current permissions include only WAFReadOnlyAccessPolicy: Choose Service List > Web Application Firewall. Then click Buy WAF on the WAF console and purchase a dedicated WAF instance. If the instance cannot be purchased, the WAFReadOnlyAccessPolicy policy already works.
- Assume that the current role has only WAFReadOnlyAccessPolicy: Choose any other service in Service List. If a message appears indicating that you do not have permissions to access the service, the WAFReadOnlyAccessPolicy policy already works.
WAF Example Custom Identity Policies
If the system-defined policies of WAF cannot meet your needs, you can create custom identity policies. For details about actions supported in custom identity policies, see Actions Supported by Identity Policy-based Authorization.
You can create custom identity policies on Huawei Cloud in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy.
For details, see Creating a Custom Identity Policy and Attaching It to a Principal.
When creating a custom identity policy, use the Resource element to specify the resources the policy applies to and use the Condition element (condition keys) to control when the policy is in effect. For details about supported resource types and condition keys, see Actions Supported by Identity Policy-based Authorization. The following provides examples of custom identity policies for WAF.
- Example 1: Grant a custom policy.
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "waf:instance:list", "waf:instance:get", "waf:sourceIp:get", "waf:policy:list", "waf:ruleset:list", "waf:ruleset:get", "waf:ccRule:list", "waf:ccRule:get", "waf:preciseProtectionRule:list", "waf:preciseProtectionRule:get", "waf:whiteBlackIpRule:list", "waf:whiteBlackIpRule:get", "waf:privacyRule:list", "waf:privacyRule:get", "waf:falseAlarmMaskRule:list", "waf:falseAlarmMaskRule:get", "waf:geoIpRule:list", "waf:geoIpRule:get", "waf:antiTamperRule:list", "waf:antiTamperRule:get", "waf:antiLeakageRule:list", "waf:antiLeakageRule:get", "waf:anticrawlerRule:list", "waf:anticrawlerRule:get", "waf:punishmentRule:list", "waf:punishmentRule:get", "waf:valueList:list", "waf:valueList:get", "waf:ipgroup:list", "waf:ipgroup:get", "waf:ipGroupShare:list", "waf:ipGroupInvitation:list", "waf:certificate:list", "waf:certificate:get", "waf:premiumInstance:list", "waf:premiumInstance:get", "waf:pool:list", "waf:pool:get", "waf:poolBinding:list", "waf:poolBinding:get", "waf:poolHealthMonitor:list", "waf:poolHealthMonitor:get", "waf:event:get", "waf:dumpEventLink:get", "waf:dnsDomain:get", "waf:asyncJob:get", "waf:ltsConfig:get", "waf:tmsTags:get", "waf:tmsProjectTags:get", "waf:tmsResource:post", "waf:subscription:get", "waf:agency:get", "waf:alert:get", "waf:consoleConfig:get" ] } ] } - Example 2: Create a custom policy containing multiple actions.
A custom policy can contain the actions of multiple services. The following is an example policy containing actions of multiple services:
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "waf:instance:list", "waf:consoleConfig:get" ] }, { "Effect": "Allow", "Action": [ "ecs:cloudServers:showServer", "ecs:cloudServers:showServerBlockDevice" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
