Cloud Firewall (CFW)
The Organizations service provides Service Control Policies (SCPs) to set access control policies.
SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU.
This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.
For details about how to use these elements to edit a custom SCP policy, see Creating an SCP.
Actions
Actions are specific operations that are allowed or denied in an SCP.
- The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
- The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your SCP statements.
- If this column includes a resource type, you must specify the URN in the Resource element of an SCP statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by CFW, see Resources.
- The Condition Key column includes keys that you can specify in an SCP statement's Condition element.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by CFW, see Conditions.
The following table lists the actions that you can define in SCP statements for CFW
Action |
Description |
Access Level |
Resource Type (*: required) |
Condition Key |
---|---|---|---|---|
cfw:acl:createAclRule |
Grants the permission to create an ACL rule. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:acl:deleteAclRule |
Grants the permission to delete an ACL rule. |
write |
cfw:<region>:<account-id>:acl:<acl-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:acl:deleteHitCount |
Grants the permission to delete the number of ACL rule hits. |
write |
cfw:<region>:<account-id>:acl:<acl-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:instance:listDomainParseServers |
Grants the permission to query the DNS server list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getDomainParseResult |
Grants the permission to resolve a domain name. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:acl:getExportStatus |
Grants the permission to query the export status of ACL rules. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:acl:getImportStatus |
Grants the permission to query the import status of ACL rules. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:acl:getImportTemplate |
Grants the permission to obtain the ACL rule import template. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:acl:listAclRules |
Grants the permission to query the ACL rule list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:acl:listAclTags |
Grants the permission to query the ACL rule tag list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:acl:updateAclRule |
Grants the permission to upgrade an ACL rule. |
write |
cfw:<region>:<account-id>:acl:<acl-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:acl:updateAclRuleAction |
Grants the permission to upgrade the action of an ACL rule. |
write |
cfw:<region>:<account-id>:acl:<acl-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:instance:updateDomainParseServer |
Grants the permission to update a DNS server. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:acl:setPriority |
Grants the permission to set the priority of an ACL rule. |
write |
cfw:<region>:<account-id>:acl:<acl-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:blackWhiteList:create |
Grants the permission to create the blacklist or whitelist. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:blackWhiteList:delete |
Grants the permission to delete the blacklist or whitelist. |
write |
cfw:<region>:<account-id>:blackWhiteList:<blackWhiteList-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:blackWhiteList:list |
Grants the permission to query the blacklist or whitelist. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:blackWhiteList:update |
Grants the permission to update the blacklist or whitelist. |
write |
cfw:<region>:<account-id>:blackWhiteList:<blackWhiteList-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:domainGroup:update |
Grants the permission to update a domain name group. |
write |
cfw:<region>:<account-id>:domainGroup:<domainGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:domainGroup:create |
Grants the permission to create a domain name group. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:domainGroup:delete |
Grants the permission to delete a domain name group. |
write |
cfw:<region>:<account-id>:domainGroup:<domainGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:domainGroup:list |
Grants the permission to obtain the domain name group list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:eip:count |
Grants the permission to query the number of EIPs. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:eip:list |
Grants the permission to query the EIP list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
g:ResourceTag/<tag-key> |
cfw:eip:updateProtectStatus |
Grants the permission to change the protection status of an EIP. |
write |
cfw:<region>:<account-id>:eip:<eip-id> * |
- |
- |
g:EnterpriseProjectId |
|||
cfw:instance:checkNameRepeat |
Grants the permission to check whether a CFW name already exists. |
read |
- |
- |
cfw:instance:listAdvanceIpsRules |
Grants the permission to query the advanced IPS rule list of CFW. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listUsedEr |
Grants the permission to query the list of used ERs. |
list |
- |
- |
cfw:instance:listUsedInspectionVpc |
Grants the permission to query the list of used inspection VPCs. |
list |
- |
- |
cfw:instance:addLogConfig |
Grants the permission to add CFW log configurations. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateCustomRule |
Grants the permission to update a CFW custom IPS rule. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateCustomRuleAction |
Grants the permission to update the actions of CFW custom IPS rules. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateLogConfig |
Grants the permission to update CFW LTS log configurations. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:createInstance |
Grants the permission to create a CFW instance. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
- |
- |
|
|||
cfw:instance:deletePostPaidInstance |
Grants the permission to delete a pay-per-use CFW instance. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:createCaptureTask |
Grants the permission to create a CFW packet capture task. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:createCustomRule |
Grants the permission to create a CFW custom IPS rule. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:createTags |
Grants the permission to create a CFW tag. |
tagging |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
- |
|
|||
cfw:instance:deleteInstance |
Grants the permission to delete a CFW instance. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:deleteCaptureTask |
Grants the permission to delete a CFW packet capture task. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:deleteCustomRule |
Grants the permission to delete a CFW custom IPS rule. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:deleteLogSearchHistory |
Grants the permission to delete the CFW log search history. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:deleteTags |
Grants the permission to delete a CFW tag. |
tagging |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
- |
g:TagKeys |
|||
cfw:instance:exportLog |
Grants the permission to export logs. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listInstanceByTags |
Grants the permission to query a CFW instance by tag. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
- |
g:TagKeys |
|||
cfw:instance:getBaseVersion |
Grants the permission to query a basic CFW instance. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getCaptureTaskResult |
Grants the permission to query the result of a CFW packet capture task. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getCustomRule |
Grants the permission to query the details about a CFW custom IPS rule. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getDomainParseServerStatus |
Grants the permission to query the status of the CFW DNS server. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getIpsMode |
Grants the permission to query the IPS protection mode of CFW. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getIpsStatus |
Grants the permission to query the status of a CFW IPS rule. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getLogConfig |
Grants the permission to query the CFW LTS log configurations. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getMaxCapturePacketNum |
Grants the permission to query the maximum number of captured packets of a CFW user. |
read |
- |
- |
cfw:instance:getPolicyStatistics |
Grants the permission to query CFW protection policy statistics. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listProjectTags |
Grants the permission to query the CFW project tag list. |
list |
- |
- |
cfw:instance:getRegionDb |
Grants the permission to query the CFW geographical location library. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listInstanceTags |
Grants the permission to query the CFW instance tag list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listInstance |
Grants the permission to query the CFW instance list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
- |
cfw:instance:getInstance |
Grants the permission to query the details about a CFW instance. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listAccessControlLog |
Grants the permission to query the CFW access control log list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listAttackLog |
Grants the permission to query the CFW attack log list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listCaptureTask |
Grants the permission to query the CFW packet capture task list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listCustomRule |
Grants the permission to query the CFW custom IPS rule list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getEw |
Grants the permission to query a CFW east-west firewall. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listFlowLog |
Grants the permission to query the CFW traffic log list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listIpsRule |
Grants the permission to query the CFW IPS rule list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:listProtectedVpc |
Grants the permission to query the VPCs protected by CFW. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateIpsMode |
Grants the permission to update the IPS protection mode of CFW. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateAdvanceIpsRule |
Grants the permission to update an advanced IPS rule of CFW. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateIpsRuleAction |
Grants the permission to update the IPS rule mode of CFW. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateIpsStatus |
Grants the permission to update the status of a CFW IPS rule. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateEwProtectedStatus |
Grants the permission to update the protection status of a CFW east-west firewall. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:saveTags |
Grants the permission to replace a CFW tag. |
tagging |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
- |
|
|||
cfw:instance:startBaseVersion |
Grants the permission to enable the CFW basic edition. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:stopBaseVersion |
Grants the permission to disable the CFW basic edition. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:stopCaptureTask |
Grants the permission to stop a CFW packet capture task. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateAlarmConfig |
Grants the permission to update CFW alarm configurations. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getAlarmConfig |
Grants the permission to query CFW alarm configurations. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:upgradeInstance |
Grants the permission to upgrade a CFW instance. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateName |
Grants the permission to update the name of a CFW instance. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getAccessControlLogStatistics |
Grants the permission to query CFW access control log statistics. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getAttackLogStatistics |
Grants the permission to query CFW attack log statistics. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getLogSearchHistory |
Grants the permission to query CFW log search history. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getEngineLogStatistics |
Grants the permission to query CFW engine log statistics. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getFlowLogStatistics |
Grants the permission to query CFW traffic log statistics. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getIpLogStatistics |
Grants the permission to query CFW IP address log statistics. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:ipGroup:updateIpGroupMember |
Grants the permission to update CFW address group members. |
write |
cfw:<region>:<account-id>:ipGroup:<ipGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:ipGroup:createIpGroup |
Grants the permission to change the members in a CFW address group. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:ipGroup:createIpGroupMember |
Grants the permission to create a CFW address group member. |
write |
cfw:<region>:<account-id>:ipGroup:<ipGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:ipGroup:deleteIpGroup |
Grants the permission to delete a CFW address group. |
write |
cfw:<region>:<account-id>:ipGroup:<ipGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:ipGroup:deleteIpGroupMember |
Grants the permission to delete a member from a CFW address group. |
write |
cfw:<region>:<account-id>:ipGroup:<ipGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:ipGroup:getIpGroup |
Grants the permission to query a CFW address group. |
read |
cfw:<region>:<account-id>:ipGroup:<ipGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:ipGroup:listIpGroups |
Grants the permission to query the CFW address group list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:ipGroup:listIpGroupMember |
Grants permission to list cfw ip group members. |
list |
cfw:<region>:<account-id>:ipGroup:<ipGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:ipGroup:updateIpGroup |
Grants the permission to update a CFW address group. |
write |
cfw:<region>:<account-id>:ipGroup:<ipGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:serviceGroup:updateServiceGroupMember |
Grants the permission to change the members in a CFW service group. |
write |
cfw:<region>:<account-id>:serviceGroup:<serviceGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:serviceGroup:create |
Grants the permission to create a CFW service group member. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:serviceGroup:createServiceGroupMember |
Grants the permission to create a CFW service group member. |
write |
cfw:<region>:<account-id>:serviceGroup:<serviceGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:serviceGroup:delete |
Grants the permission to delete a CFW service group. |
write |
cfw:<region>:<account-id>:serviceGroup:<serviceGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:serviceGroup:deleteServiceGroupMember |
Grants the permission to delete a member from a CFW service group. |
write |
cfw:<region>:<account-id>:serviceGroup:<serviceGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:serviceGroup:get |
Grants the permission to query a CFW service group. |
read |
cfw:<region>:<account-id>:serviceGroup:<serviceGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:serviceGroup:list |
Grants the permission to query the CFW service group list. |
list |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:serviceGroup:listServiceGroupMember |
Grants permission to list cfw service group members. |
list |
cfw:<region>:<account-id>:serviceGroup:<serviceGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:serviceGroup:update |
Grants the permission to update a CFW service group. |
write |
cfw:<region>:<account-id>:serviceGroup:<serviceGroup-id> * |
- |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
|||
cfw:instance:enableMultiAccount |
Grants the permission to enable CFW multi-account management. |
write |
- |
- |
cfw:instance:listAccounts |
Grants the permission to view the multi-account list. |
list |
- |
- |
cfw:instance:listOrganizationTree |
Grants the permission to view the organization tree. |
list |
- |
- |
cfw:instance:addAccount |
Grants the permission to add an account. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:deleteAccount |
Grants the permission to delete an account. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getProtectedVpc |
Grants the permission to view the details about a VPC protected by CFW. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:deleteProtectedVpc |
Grants the permission to delete a VPC protected by CFW. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:addProtectedVpc |
Grants the permission to add a VPC protected by CFW. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateProtectedVpc |
Grants the permission to update a VPC protected by CFW. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateAntiVirusStatus |
Grants the permission to update the antivirus status of CFW. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getAntiVirusStatus |
Grants the permission to query the antivirus status of CFW. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:updateAntiVirusRule |
Grants the permission to update a CFW antivirus rule. |
write |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
cfw:instance:getAntiVirusRule |
Grants the permission to query a CFW antivirus rule. |
read |
cfw:<region>:<account-id>:instance:<fwInstance-id> * |
|
Each API of CFW usually supports one or more actions. Table 2 lists the supported actions and dependencies.
API |
Action |
Dependencies |
---|---|---|
GET /v1/{project_id}/cfw/logs/flow |
cfw:instance:listFlowLog |
- |
GET /v1/{project_id}/cfw/logs/access-control |
cfw:instance:listAccessControlLog |
- |
GET /v1/{project_id}/cfw/logs/attack |
cfw:instance:listAttackLog |
- |
PUT /v1/{project_id}/cfw/logs/configuration |
cfw:instance:updateLogConfig |
- |
GET /v1/{project_id}/dns/servers |
cfw:instance:listDomainParseServers |
- |
PUT /v1/{project_id}/dns/servers |
cfw:instance:updateDomainParseServer |
- |
PUT /v1/{project_id}/domain-set/{set_id} |
cfw:domainGroup:update |
- |
DELETE /v1/{project_id}/domain-set/{set_id} |
cfw:domainGroup:delete |
- |
GET /v1/{project_id}/domain-sets |
cfw:domainGroup:list |
- |
Resources
A resource type indicates the resources that an SCP applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the SCP statements using that action, and the SCP applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the SCP applies to all resources. You can also set condition keys in an SCP to define resource types.
The following table lists the resource types that you can define in SCP statements for CFW.
Resource Type |
URN |
---|---|
instance |
cfw:<region>:<account-id>:instance:<fwInstance-id> |
acl |
cfw:<region>:<account-id>:acl:<acl-id> |
ipGroup |
cfw:<region>:<account-id>:ipGroup:<ipGroup-id> |
serviceGroup |
cfw:<region>:<account-id>:serviceGroup:<serviceGroup-id> |
blackWhiteList |
cfw:<region>:<account-id>:blackWhiteList:<blackWhiteList-id> |
domainGroup |
cfw:<region>:<account-id>:domainGroup:<domainGroup-id> |
eip |
cfw:<region>:<account-id>:eip:<eip-id> |
Conditions
CFW does not support service-specific condition keys in SCPs.
It can only use global condition keys applicable to all services. For details, see Global Condition Keys.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot