Access Mode Check
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
iam-user-access-mode |
|
Identifier |
iam-user-access-mode |
|
Description |
If an IAM user has both console and API access enabled, this user is noncompliant. |
|
Tag |
iam |
|
Trigger Type |
Configuration change |
|
Filter Type |
iam.users |
|
Configure Rule Parameters |
None |
Applicable Scenario
This rule ensures that an IAM user cannot access cloud services through both the console and APIs. There are two methods for accessing a cloud service:
- Programmatic access: Users access cloud services by using development tools, such as APIs, CLI, and SDKs with access keys.
- Management console access: Users access cloud services through the management console with passwords.
It is advised to not use passwords for programmatic access.
Solution
You can allow IAM users to access cloud services either using programmatic methods or through the console. Ensure that an IAM user does not have both a password and an access key.
Rule Logic
- If an IAM user is disabled, this user is compliant.
- If an IAM user is enabled, but is not allowed to access cloud services by using both the programmatic methods and the management console, this user is compliant.
-
If an enabled IAM user does not have both an access key and a password, this IAM user is compliant.
- If an IAM user does not meet any of the above conditions, this user is noncompliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
