Security Auditing on Permissions of IAM Users
Scenario
Enterprise users usually need to periodically audit the permissions of IAM users created in the public cloud, ensuring that IAM users only have the permissions required to complete certain tasks. Generally, only account administrators and auditors have IAM administration permissions, and IAM users should not have these permissions. Periodic security audit can be automatically implemented through APIs.
This section describes how to perform security audit on the permissions of IAM users by calling APIs. You can also implement periodic security audit using programmatic methods.
Prerequisites
To audit IAM user permissions as an auditor, ensure that you have been assigned the IAM ReadOnlyAccess policy (recommended) or Security Administrator role.
General Procedure
To audit the permissions of IAM users, perform the following procedure:
- List all the user groups.
- Query the permissions of each user group for the global service project.
- Query the permissions of each user group for region-specific projects.
- Determine the permissions to be audited and query the IAM users in each user group that has been assigned these permissions.
The following APIs will be used in this example:
- Listing User Groups
- Querying Permissions of a User Group for the Global Service Project
- Querying Permissions of a User Group for a Region-specific Project
- Querying the IAM Users in a Group
Step 1: List All the User Groups
URI: GET /v3/groups
For details about the API, see Listing User Groups.
- Example Request
GET https://iam.myhuaweicloud.com/v3/groups - Example Response
{ "groups":[ { "create_time":1536293929624, "description":"IAMDescription", "domain_id":"d78cbac186b744899480f25bd022....", "id":"5b050baea9db472c88cbae67e8d6....", "links":{ "self":"https://iam.myhuaweicloud.com/v3/groups/5b050baea9db472c88cbae67e8d6...." }, "name":"IAMGroupA" }, { "create_time":1578107542861, "description":"IAMDescription", "domain_id":"d78cbac186b744899480f25bd022....", "id":"07609e7eb200250a3f7dc003cb7a....", "links":{ "self":"https://iam.myhuaweicloud.com/v3/groups/07609e7eb200250a3f7dc003cb7a...." }, "name":"IAMGroupB" } ], "links":{ "self":"https://iam.myhuaweicloud.com/v3/groups" } }
Step 2: Query Permissions of Each User Group for the Global Service Project
URI: GET /v3/domains/{domain_id}/groups/{group_id}/roles
For details about the API, see Querying Permissions of a User Group for a Global Service Project.
- Example Request
GET https://iam.myhuaweicloud.com/v3/domains/{domain_id}/groups/{group_id}/roles - Example Response
{ "links":{ "self":"https://iam.myhuaweicloud.com/v3/domains/d78cbac186b744899480f25bd022f468/groups/077d71374b8025173f61c003ea0a11ac/roles" }, "roles":[ { "catalog":"CDN", "description":"Allow Query Domains", "description_cn":"Description of the permission in Chinese", "display_name":"CDN Domain Viewer", "flag":"fine_grained", "id":"db4259cce0ce47c9903dfdc195eb....", "links":{ "self":"https://iam.myhuaweicloud.com/v3/roles/db4259cce0ce47c9903dfdc195eb...." }, "name":"system_all_11", "policy":{ "Statement":[ { "Action":[ "cdn:configuration:queryDomains", "cdn:configuration:queryOriginServerInfo", "cdn:configuration:queryOriginConfInfo", "cdn:configuration:queryHttpsConf", "cdn:configuration:queryCacheRule", "cdn:configuration:queryReferConf", "cdn:configuration:queryChargeMode", "cdn:configuration:queryCacheHistoryTask", "cdn:configuration:queryIpAcl", "cdn:configuration:queryResponseHeaderList" ], "Effect":"Allow" } ], "Version":"1.1" }, "type":"AX" } ] }
Step 3: Query Permissions of Each User Group for Region-specific Projects
URI: GET /v3/projects/{project_id}/groups/{group_id}/roles
For details about the API, see Querying Permissions of a User Group for a Region-specific Project.
- Example Request
GET https://iam.myhuaweicloud.com/v3/projects/{project_id}/groups/{group_id}/roles
- Example Response
{ "links":{ "self":"https://iam.myhuaweicloud.com/v3/projects/065a7c66da0010992ff7c0031e5a..../groups/077d71374b8025173f61c003ea0a..../roles" }, "roles":[ { "catalog":"AOM", "description":"AOM read only", "description_cn":"Description of the permission in Chinese", "display_name":"AOM Viewer", "flag":"fine_grained", "id":"75cfe22af2b3498d82b655fbb39d....", "links":{ "self":"https://iam.myhuaweicloud.com/v3/roles/75cfe22af2b3498d82b655fbb39d...." }, "name":"system_all_30", "policy":{ "Statement":[ { "Action":[ "aom:*:list", "aom:*:get", "apm:*:list", "apm:*:get" ], "Effect":"Allow" } ], "Version":"1.1" }, "type":"XA" } ] }
Step 4: Determine the Permissions to Be Audited and Query IAM Users Granted These Permissions
URI: GET /v3/groups/{group_id}/users
For details about the API, see Querying the IAM Users in a Group.
- Example Request
GET https://iam.myhuaweicloud.com/v3/groups/{group_id}/users - Example Response
{ "links":{ "self":"https://iam.myhuaweicloud.com/v3/groups/07609e7eb200250a3f7dc003cb7a..../users" }, "users":[ { "description":"--", "domain_id":"d78cbac186b744899480f25bd022....", "enabled":true, "id":"07609fb9358010e21f7bc003751c....", "last_project_id":"065a7c66da0010992ff7c0031e5a....", "links":{ "self":"https://iam.myhuaweicloud.com/v3/users/07609fb9358010e21f7bc003751c...." }, "name":"IAMUserA", "pwd_status":true }, { "description":"", "domain_id":"d78cbac186b744899480f25bd022....", "enabled":true, "id":"076837351e80251c1f0fc003afe4....", "last_project_id":"065a7c66da0010992ff7c0031e5a....", "links":{ "self":"https://iam.myhuaweicloud.com/v3/users/076837351e80251c1f0fc003afe4...." }, "name":"IAMUserB", "pwd_status":true } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
