Updated on 2024-07-11 GMT+08:00

Enabling CTS

CTS records operations performed on cloud resources in your account. The operation logs can be used to perform security analysis, track resource changes, perform compliance audits, and locate faults.

It is recommended that you enable the CTS service to record key IAM operations, such as creating and deleting users.

Procedure

  1. Log in to the management console.
  2. If you log in to Huawei Cloud using an account, go to 3. If you log in as an IAM user, request the administrator to grant you the following permissions:

    • Security Administrator
    • CTS FullAccess

    For details, see Assigning Permissions to an IAM User.

  3. Choose Service List > Management & Governance > Cloud Trace Service.
  4. On the displayed authorization page, click Enable and Authorize.

    • When using CTS, you must have the required permissions for relevant operations, but do not need to be granted the Security Administrator role again.
    • After you enable CTS, the system automatically creates two trackers to record management traces, that is, operations (such as creation, login, and deletion) performed on all cloud resources.
      • In the current region, a tracker is created to record management traces of all project-level services deployed in this region.
      • In the CN-Hong Kong region, a tracker is created to record management traces of all global services, such as IAM.

CTS records all operations performed on IAM, such as creating users and user groups. Table 1 shows the IAM operations that can be recorded by CTS.
Table 1 IAM operations that can be recorded by CTS

Operation

Resource Type

Trace Name

Logging in

user

login

Logging failed (HUAWEI ID login failures not included)

user

loginFailed

Logging out

user

logout

Logging in using a QR code

user

scanQRCodeLogin

Logging failed using a QR code

user

scanQRCodeLoginFailed

Logging in via OpenID Connect

user

oidcLoginSuccess

Logging failed via OpenID Connect

user

oidcLoginFailed

Logging in via SSO

user

iamUserSsoLoginSuccess

Logging failed via SSO

user

iamUserSsoLoginFailed

Resetting the password

user

fpwdResetSuccess

Creating an IAM user

user

createUser

Changing the email address or mobile number

user

updateUser

Deleting a user

user

deleteUser

Changing the password

user

updateUserPwd

Setting a password for a user (by the administrator)

user

updateUserPwd

Modifying login protection of an IAM user

user

modifyLoginProtect

Changing the mobile number using an email

user

changeMobileByEmail

Changing the password using an email

user

updateUserPwdByEmail

Successful initial login as a federated user

user

tenantLoginBySamlSuccess

Successful login using cached information as a federated user

user

federationLoginNoPwdSuccess

Logging in failed using cached information as a federated user

user

federationLoginNoPwdFailed

Creating a user group

userGroup

createGroup

Modifying a user group

userGroup

updateGroup

Deleting a user group

userGroup

deleteGroup

Adding users to a user group

userGroup

addUserToGroup

Removing users from a user group

userGroup

removeUserFromGroup

Unbinding a virtual MFA device

MFA

UnBindMFA

Binding a virtual MFA device

MFA

BindMFA

Creating a project

project

createProject

Modifying a project

project

updateProject

Deleting a project

project

deleteProject

Creating an agency

agency

createAgency

Modifying an agency

agency

updateAgency

Deleting an agency

agency

deleteAgency

Switching an agency

agency

switchRole

Assigning all project permissions to an agency

agency

updateAgencyInheritedGrants

Revoking all project permissions from an agency

agency

deleteAgencyInheritedGrants

Assigning global service permissions to an agency

agency

updateAgencyAssignsByRole

Assigning global service permissions to an agency (API)

roleAgencyDomain

assignRoleToAgencyOnDomain

Updating agency permissions

agency

updateAgencyAssignsByRole

Registering an identity provider

identityProvider

createIdentityProvider

Modifying an identity provider

identityProvider

updateIdentityProvider

Deleting an identity provider

identityProvider

deleteIdentityProvider

Updating an identity conversion rule

identityProvider

updateMapping

Updating the identity provider metadata

identityProvider

metadataConfiguration

Manually editing metadata of a preset IdP

identityProvider

metadataConfiguration

Registering a mapping

mapping

createMapping

Updating a mapping

mapping

updateMapping

Deleting a mapping

mapping

deleteMapping

Registering a protocol

identityProvider

createProtocol

Updating a protocol

identityProvider

updateProtocol

Deleting a protocol

identityProvider

deleteProtocol

Revoking global service permissions from an agency

roleAgencyDomain

unassignRoleToAgencyOnDomain

Assigning project permissions to an agency

roleAgencyProject

assignRoleToAgencyOnProject

Revoking project permissions from an agency

roleAgencyProject

unassignRoleToAgencyOnProject

Modifying the login authentication policy

SecurityPolicy

modifySecurityPolicy

Modifying the password policy

SecurityPolicy

modifySecurityPolicy

Modifying the ACL

SecurityPolicy

modifySecurityPolicy

Modifying the login authentication policy

loginpolicy

securitypolicy

Modifying the password policy

passwordpolicy

securitypolicy

Modifying the ACL

acl

securitypolicy

Creating an account

domain

createDomain

Update an account

domain

updateDomain

Delete an account

domain

deleteDomain

Logging failed via OpenID Connect

domain

oidcLoginFailed

Creating a custom policy

Policy

createRole

Modifying a custom policy

Policy

updateRole

Deleting a custom policy

Policy

deleteRole

Assigning global service permissions to a user group (API)

assignment

createAssignment

Assigning global service permissions to a user group

group

updateGroupAssignsByRole

Revoking global service permissions from a user group

assignment

deleteAssignment

Creating a permanent AK/SK

credential

createCredential

Updating a permanent access key (AK/SK)

credential

updateCredential

Deleting a permanent access key (AK/SK)

credential

deleteCredential

Disabling or enabling an access key (AK/SK)

credential

updateCredential

Assigning permissions to users or enterprise projects

assignment

grantRoleToUserOnEnterpriseProject

Revoking permissions from users or enterprise projects

enterpriseProject

revokeRoleFromUserOnEnterpriseProject

Updating user group permissions for enterprise projects

enterpriseProject

updateRoleFromGroupOnEnterpriseProject

Creating a user group

group

createGroup

Deleting a user group

group

deleteGroup