Overview of Control Policies

SWR supports multiple control policies, including IAM-based access control, SCP-based access control, RCP-based access control, NCP-based access control, and VPC Endpoint policy-based access control. You can use different control policies based on security requirements.

IAM-based Access Control

Identity and Access Management (IAM) provides permissions management for secure access to your Huawei Cloud services and resources. For details about how to use IAM to control access to SWR, see Configuring Permissions in IAM.

SCP-based Access Control

Service Control Policies (SCPs) are guardrail policies provided by Organizations. The management account can use SCPs to limit the permissions that can be assigned to member accounts in an organization. You can attach an SCP to your organization, OUs, or member accounts. Any SCP attached to an organization or OU affects all the accounts within the organization or under the OU. For details, see Service Control Policies Overview.

The organization here refers to the organization in the Organizations service, not the organization in SWR.

RCP-based Access Control

Resource Control Policies (RCPs) are guardrail policies provided by Organizations. An RCP limits the maximum permissions allowed for access to a resource. RCPs restrict access to resources in member accounts of an organization. An organization administrator can set RCPs in an organization to ensure that access to resources in the member accounts meets security and compliance requirements.

The organization here refers to the organization in the Organizations service, not the organization in SWR.

NCP-based Access Control

Network Control Policies (NCPs) are guardrail policies provided by Organizations. An NCP limits the maximum permissions allowed for access from a VPC endpoint. NCPs restrict access over the VPC endpoints created by the member accounts in an organization. An organization administrator can set NCPs in an organization to ensure that access over the VPC endpoints created by member accounts in the organization meets the security and compliance requirements.

The organization here refers to the organization in the Organizations service, not the organization in SWR.

VPC Endpoint Policy-based Access Control

VPC endpoint policies are a type of resource-based policies. You can configure a policy to control which principals can use the VPC endpoint to access VPC endpoint services. For details, see Managing Policies for VPC Endpoints.

Virtual Private Cloud (VPC) is used to control the network border security. If the API access point of a resource is within the VPC of your account, access is within the VPC, and security is controllable (the VPC can be considered as a network security domain). If the API access point is open to access on a public network, the network attack surface is large and security is hard to control.

After a control policy is configured, anonymous download of public images is also controlled by the control policy.