Help Center/ Cloud Trace Service/ Best Practices/ Using CTS to Monitor the Operation of Creating an IAM User
Updated on 2025-07-03 GMT+08:00
View PDF
Share

Using CTS to Monitor the Operation of Creating an IAM User

Identity and Access Management (IAM) is a Huawei Cloud basic service that helps you manage access permissions for your Huawei cloud services and resources. You can use IAM's user management function to create IAM users for employees or applications and assign resources to them.

CTS can collect, store, and query key operations on IAM. This can be used for security analysis, compliance audit, resource tracking, and fault locating.

This section describes how to use operation audit and key event notification of CTS to monitor the operation of creating an IAM user and send an alarm by email.

Restrictions

IAM is a global service. You need to configure key event notification on the CTS console in the central region (CN-Hong Kong) to use the function.

Preparations

  1. Grant the CTS operation permissions to a user.
    • If you log in to the Huawei Cloud console as the account owner, skip this step.
    • If you log in to the Huawei Cloud console as an IAM user, first contact your CTS administrator (account owner or a user in the admin user group) to obtain the CTS FullAccess permissions. For details, see Assigning Permissions to an IAM User.
  2. To use the key event notification function on the CTS console, enable Simple Message Notification (SMN), create a topic (name: cts-test), and add a subscription (protocol: email). For details, see Creating a Topic and Adding a Subscription.

    Creating a topic and adding email subscription using SMN incur additional charges. For details, see Product Pricing Details.

Step 1: Enable CTS and Configure a System Tracker

  1. Log in to the CTS console.
  2. In the navigation pane on the left, choose Tracker List.
  3. Click Enable CTS in the upper right corner. A management tracker named system is automatically created.
  4. Click Configure in the Operation column in the row of the management tracker (named system).

    Figure 1 Configuring the tracker

  5. Configure the basic information of the tracker and click Next.

    Parameter

    Description

    Requirements

    Tracker Name

    The default value is system and cannot be changed.

    system

    Enterprise Project

    If you have enabled enterprise project management for your account, select an enterprise project.

    NOTE:

    Enterprise projects allow you to manage cloud resources and users by project.

    For details about how to enable them, see Creating an Enterprise Project.

    default

    Excluding DEW traces

    This parameter is deselected by default. If this parameter is selected, the createDataKey and decryptDatakey operations on DEW will not be transferred to OBS/LTS.

    NOTE:

    For details about DEW audit operations, see Operations supported by CTS.

    Deselect

  6. On the transfer configuration page, you can set the transfer function. This practice does not need to use the transfer function. Therefore, disable Transfer to OBS and Transfer to LTS.
  7. Click Next and click Configure. The system tracker is configured. You can then check the tracker details on the Tracker List page.

Step 2: Create a Key Event Notification

  1. On the CTS console, choose Key Event Notifications in the navigation pane on the left.
  2. On the Key Event Notifications page, click Create Key Event Notification.
  3. Set key event notification parameters according to the requirements in following table, and click the confirm button.

    Figure 2 Creating a key event notification

    Table 1 Setting parameters

    Parameter

    Description

    Requirements

    Notification Name

    Enter a notification name. This used to identify and distinguish key event notifications.

    Alarm for creating an IAM user

    Operation Type

    Select All or Custom as required.

    Custom

    Operation List

    If Operation Type is set to Custom, you can specify the operations that will trigger notifications.

    Service Type: IAM

    Resource Type: user

    Operation Name: createUser

    Advanced Filter

    You can set an advanced filter to specify the operations that will trigger notifications.

    Skip

    User Type

    SMN messages will be sent to subscribers when the specified users perform key operations.

    Do not specify

    Send Notification

    If Send Notification is set to Yes, you need to create a cloud service agency and select an SMN topic. If you do not want to send notifications, no further action is required.

    Send

    Create a cloud service agency.

    If you select this check box, CTS automatically creates a cloud service agency when you create a key event notification. The agency authorizes you to use SMN.

    Select

    SMN Topic

    You can select an existing topic or click Create Topic to create one on the SMN service page.

    cts-test

Step 3: Create an IAM User and Check Whether an Alarm Is Triggered

  1. Log in to the IAM console and create an IAM user. For details, see Creating an IAM User.
  2. Wait for the notification regarding the creation of an IAM user on the email terminal.
  3. You have received the email alarm about creating an IAM user. CTS can monitor the operation of creating an IAM user.

Links to FAQs

What Should I Do If I Cannot Enable CTS as an IAM User?

Why Do Subscribers Fail to Receive Messages After I Publish Messages to a Topic?