Control Policy Overview

SWR supports multiple control policies, including IAM-based access control, SCP-based access control, RCP-based access control, NCP-based access control, and VPC Endpoint policy-based access control. You can use different control policies based on security requirements. The following describes several policies.

IAM-based Access Control

Identity and Access Management (IAM) provides permissions management for secure access to your Huawei Cloud services and resources. For details about how to use IAM to control access to SWR, see IAM-based Permissions Management.

SCP-based Access Control

Service Control Policies (SCPs) are guardrail policies provided by Organizations. The management account can use SCP to limit the permissions that can be assigned to member accounts in an organization. You can attach an SCP to your organization, OUs, or member accounts. Any SCP attached to an organization or OU affects all the accounts within the organization or under the OU. For details, see SCP Introduction.

The organization here refers to the organization in the Organizations service, not the organization in SWR.

RCP-based Access Control

Resource Control Policies (RCPs) are guardrail policies provided by Organizations. RCPs limit the maximum permissions allowed for a resource. Access to resources of an organization member account is restricted by RCPs. An organization administrator can set RCPs in an organization to meet the security and compliance requirements for access control of resources in organization member accounts.

The organization here refers to the organization in the Organizations service, not the organization in SWR.

NCP-based Access Control

Network Control Policies (NCPs) are guardrail policies provided by Organizations. An NCP policy limits the maximum permissions allowed for access from a VPC endpoint. NCP policies restrict requests initiated from a VPC endpoint created by the member accounts of an organization. An organization administrator can set NCPs in an organization to meet the security and compliance requirements for controlling the access initiated from the VPC endpoints created by member accounts of an organization.

The organization here refers to the organization in the Organizations service, not the organization in SWR.

VPC Endpoint Policy-based Access Control

VPC endpoint policies are a type of resource-based policies. You can configure a policy to control which principals can use the VPC endpoint to access VPC endpoint services. For details, see Managing the Policy of a VPC Endpoint.

Virtual Private Cloud (VPC) is used to control the network border security. If the API access point of a resource is within the VPC of your account, the access is within the VPC and security is controllable (the VPC can be considered as a network security domain). If the API access point is on a public network, the network attack surface is large and security is hard to control.

After a control policy is configured, anonymous download of public images is also controlled by the control policy.