Updated on 2024-10-28 GMT+08:00

Permissions

If you need to assign different permissions to employees in your enterprise, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you flexibly manage resource access.

You can create users using IAM and grant users permissions to implement access control. For example, if you want some of your employees to have the permissions for configuring the resource recorder, you can create IAM users for them and grant them with the required permissions.

If your Huawei Cloudaccount does not need individual IAM users for permissions management, skip this chapter.

IAM can be used free of charge. You pay only for the resources in your account. For more details, see What is IAM?.

Config Permissions

By default, new IAM users do not have permissions. You need to add a user to one or more groups and attach policies or roles to the user groups. Users in a group inherit permissions from the group, so that they can perform operations on cloud services based on the permissions.

Config is a global service. You do not need to repeat Config authorization for different regions or switch regions for accessing Config.

A user with Config read-only permissions can view all resources on the Resource List page.

You can grant permissions by using roles or policies.

  • Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you must also assign other roles which the permissions depend on to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policy: A type of fine-grained authorization method that defines permissions required to perform operations on specific cloud resources under certain conditions. Authorization using policies is more flexible and help you implement least privilege. Most policies define permissions based on APIs. API actions are the minimum granularity of permissions. For API actions supported by Config, see the Permissions Policies and Supported Actions section in Config API Reference.

Table 1 Config system-defined permissions lists all the system-defined permissions supported by Config.

Table 1 Config system-defined permissions

Policy

Description

Dependencies

RMS ConsoleFullAccess

Grants full access to Config console. This policy grants you the permissions to perform all actions on the resource list, resource recorder, resource compliance, advanced queries, aggregators, and conformance packages.

RF FullAccess

RMS FullAccess

Grants full access to Config. This policy grants you the permissions to perform all actions on the resource list, resource recorder, resource compliance, advanced queries, aggregators, and conformance packages.

RF FullAccess

RMS ReadOnlyAccess

Grants read-only access to Config. This policy grants you read access to the resource list, resource recorder, resource compliance, advanced queries, aggregators, and conformance packages.

None

An IAM user or IAM Identity Center user may still be denied specific operations on resource recorders, rules, or conformance packages even if they have been granted the RMS ConsoleFullAccess permission. This is because specific operations require IAM agencies. To perform these operations, you need related IAM agencies. The following lists the details.

To create IAM agencies, you need the iam:agencies:createAgency and iam:permissions:grantRoleToAgency permissions. To grant the permission iam:permissions:grantRoleToAgency, specific actions need to be specified.

Table 2 lists the common operations and the system-defined permissions of Config. √ indicates that an operation is supported, and × indicates not supported.

Table 2 Common operations supported by system-defined permissions

Operation

RMS ConsoleFullAccess

RMS FullAccess

RMS ReadOnlyAccess

Querying all resources

Query details about a resource.

Filtering resources

Exporting resources

Viewing resource compliance data

Viewing relationships of a resource

Viewing resource change history

Querying the resource recorder

Enabling, configuring, or modifying the resource recorder

x

Disabling the resource recorder

x

Querying a compliance policy

Modifying rules

x

Adding rules

x

Querying rules

Deleting rules

x

Creating organization rules

x

Modifying organization rules

x

Viewing organization rules

Deleting organization rules

x

Viewing resource compliance evaluation results

Triggering a resource compliance evaluation

x

Updating compliance evaluation results

x

Creating remediation configurations

x

Viewing remediation configurations

Modifying remediation configurations

x

Deleting remediation configurations

x

Viewing remediation execution status

Applying remediation actions

x

Adding remediation exceptions

x

Deleting remediation exceptions

x

Viewing remediation exceptions

Running advanced queries

x

Creating advanced queries

x

Querying advanced queries

Listing advanced queries

Updating advanced queries

x

Deleting advanced queries

x

Creating a resource aggregator

x

Viewing a resource aggregator

Modifying a resource aggregator

x

Deleting a resource aggregator

x

Viewing aggregated rules

Viewing aggregated resources

Authorizing a resource aggregator account

x

Deleting authorization for an aggregator account

x

Deleting resource aggregation requests

x

Viewing resource aggregation requests

Running advanced queries to aggregators

x

Viewing an authorization list

Creating conformance packages

√ (depends on RF FullAccess)

√ (depends on RF FullAccess)

x

Viewing conformance packages

Listing conformance packages

Deleting conformance packages

√ (depends on RF FullAccess)

√ (depends on RF FullAccess)

x

Updating conformance packages

√ (depends on RF FullAccess)

√ (depends on RF FullAccess)

x

Listing conformance package sample templates

Creating organization conformance packages

x

Viewing organization conformance packages

Listing organization conformance packages

Deleting organization conformance packages

x

Updating organization conformance packages

x