Creating an IAM User and Granting Permissions to Access Config

You can use Identity and Access Management (IAM) to implement fine-grained permissions control for your Config resources. With IAM, you can:

  • Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing Config resources.

  • Grant users only the permissions required to perform a given task based on their job responsibilities.

  • Entrust an account or a cloud service to perform efficient O&M on your Config resources.

If your account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of granting Config permissions.

Prerequisites

Before granting permissions, learn about permissions for Config. To grant permissions for other services, see permissions.

Process Flow

**Figure 1** Process of granting Config permissions

Figure 1 Process of granting Config permissions

  1. On the IAM console, create a user group and assign permissions to it (Config ReadOnlyAccess as an example).

  2. Create an IAM user and add it to the created group.

  3. Log in as the IAM user and verify permissions.

    In the authorized region, perform the following operations:

    • Choose Service List > Config. In the navigation pane on the left, click Resource Compliance. On the displayed page, click Add Rule under the Rules tab. If a message appears indicating that you have insufficient permissions to perform the operation, the Config ReadOnlyAccess policy is in effect.

    • Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the Config ReadOnlyAccess policy is in effect.

    • Choose Service List > Config and check if you can view queries in the Advanced Queries page. If yes, the Config ReadOnlyAccess policy is in effect.