Help Center/ Cloud Firewall/ User Guide/ System Management/ Multi-account Protection
Updated on 2024-10-22 GMT+08:00
View PDF
Share

Multi-account Protection

CFW provides secure and reliable cross-account data aggregation and resource access capabilities. If the accounts in your organization are centrally managed, you can use CFW to protect the EIPs of all member accounts in the organization in a unified manner.

Constraints

The number of accounts that can be protected by a single firewall instance is as follows:

  • Yearly/Monthly CFW:
    • Standard edition: 20
    • Professional edition: 50
  • Pay-per-use CFW (professional edition): 20

Example Configuration

Assume that account A needs to manage the assets of account B. To use CFW to protect the assets of organization members, perform the following operations:

  1. If account A is an organization administrator, skip this step. If account A is not an organization administrator, the organization administrator should add account A as a delegated administrator. For details, see Specifying a Delegated Administrator.
  2. The organization administrator or delegated administrator invites account B to join the organization. For details, see Inviting an Account to Join Your Organization.
  3. In CFW, add account B to the list on the Multi-Account Management page. For details, see 5.

For details about the organization service, see Overview of Organizations.

To request the EIP information of account B, CFW automatically creates a service agency in accounts A and B.

  • The agency is a cloud service agency. Its permission is CFWServiceLinkedAgencyPolicy, name is ServiceLinkedAgencyForCloudFirewall, and Scope is All resources.
  • If account B is deleted, CFW automatically deletes the agency associated with the service in account B.
  • If you unsubscribe from CFW, CFW automatically deletes the agencies associated with account A and all member accounts.

Adding an Account to an Organization

  1. (Optional) Enable the Enterprise Center. For details,see Enabling Enterprise Center.

    If the Enterprise Center has been enabled, skip this step.

  2. (Optional) Enable the Organizations service and create an organization.

    If the Organizations service has been enabled, skip this step.

    If you are already in an organization, leave the organization before creating another organization. For details, see Removing a Member Account from Your Organization.

    1. Log in to the management console.
    2. Click in the upper left corner and choose Management & Governance > Organizations.
    3. Click Enable Organizations to enable the Organizations service.
      Figure 1 Enabling Organizations

      After the Organizations service is enabled, your organization and the root are automatically created, and your login account is defined as the management account.

  3. Set CFW as a trusted service. For details, see Enabling or Disabling a Trusted Service.
  4. Ensure the current account is an organization management account or a delegated administrator account. For details, see Specifying a Delegated Administrator.
  5. Add a member account to an organization.

    1. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
    2. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
    3. In the navigation pane, choose System Management > Multi-Account Management.
    4. Click Add Account. Select accounts in the navigation tree on the left. The selected accounts are automatically added to the Selected area on the right.

      The added accounts belong to the same organization. For details about organization accounts, see Overview of an Account.

    5. Click OK. The added account is displayed in the account list.

Viewing Accounts in an Organization

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose System Management > Multi-Account Management.
  6. Check the account list. For more information, see Table 1.

    Table 1 Parameters in the account list

    Parameter

    Description

    Account Name

    Account name.

    EIPs

    Number of EIPs under an account.

    Protected EIPs

    Number of EIPs protected by the firewall.

    Unprotected EIPs

    Number of EIPs that are not protected by the firewall.

Related Operations

Deleting an organization member account: Select an account and click Delete Account above the list.

Parent Topic: System Management