Permissions¶

If you need to assign different permissions to employees in your enterprise, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you flexibly manage resource access.

You can create users using IAM and grant users permissions to implement access control.

If your account does not need individual IAM users for permissions management, skip this chapter.

System-Defined Permissions for Config¶

By default, new IAM users do not have permissions. You need to add a user to one or more groups and attach policies to the user groups. Users in a group inherit permissions from the group, so that they can perform operations on cloud services based on the permissions.

Config is a global service. You do not need to repeat Config authorization for different regions or switch regions for accessing Config.

A user with Config read-only permissions can view all resources on the Resource List page.

Policy: A type of fine-grained authorization method that defines permissions required to perform operations on specific cloud resources under certain conditions. Authorization using policies is more flexible and help you implement least privilege. Most policies define permissions based on APIs. API actions are the minimum granularity of permissions. For API actions supported by Config, see the Permissions Policies and Supported Actions section in Config API Reference. For details about fine-grained permissions and their dependencies for Config, see Fine-Grained Permissions for Config.

Table 1 lists all the system-defined permissions supported by Config.

**Table 1** System-defined permissions supported by Config.¶
Policy	Description	Dependencies
Config FullAccess	Grants full access to Config. This policy grants you the permissions to perform all actions on the resource list, resource recorder, resource compliance, and advanced queries.	iam:agencies:listAgencies iam:roles:listRoles iam:permissions:grantRoleToAgency smn:topic:list obs:bucket:ListAllMyBuckets
Config ReadOnlyAccess	Grants read-only access to Config. This policy grants you read access to the resource list, resource recorder, and resource compliance.	None

Table 2 lists the common operations and the system-defined permissions of Config. Y indicates that an operation is supported, and x indicates not supported.

**Table 2** Common operations supported by system-defined permissions¶
Operation	Config FullAccess	Config ReadOnlyAccess
Querying all resources	Y	Y
Query details about a resource.	Y	Y
Filtering resources	Y	Y
Exporting resources	Y	Y
Viewing resource compliance data	Y	Y
Viewing relationships of a resource	Y	Y
Viewing resource change history	Y	Y
Querying the resource recorder	Y	Y
Enabling, configuring, or modifying the resource recorder	Y	x
Disabling the resource recorder	Y	x
Querying a compliance policy	Y	Y
Modifying rules	Y	x
Adding rules	Y	x
Querying rules	Y	Y
Deleting rules	Y	x
Viewing resource compliance evaluation results	Y	Y
Triggering a resource compliance evaluation	Y	x
Running advanced queries	Y	x
Creating advanced queries	Y	x
Querying advanced queries	Y	Y
Listing advanced queries	Y	Y
Updating advanced queries	Y	x
Deleting advanced queries	Y	x

Fine-Grained Permissions for Config¶

If predefined permissions cannot meet your requirements, you can create custom policies. Custom policies allow you to perform fine-grained access control flexibly. For details about how to create a custom policy, see Creating a Custom Policy. For details about example custom policies, see Creating a Custom Policy.

The following table lists the actions and dependencies for Config.

**Table 3** Actions and dependencies for the resource list¶
Action	Description	Dependencies	Applicable Scenario
rms:resources:getHistory	Grants the permission to view resource history.	rms:resources:list rms:resources:getRelation rms:resources:get	Viewing resource history.
rms:resources:getRelation	Grants the permission to view resource relationships and relationship details.	rms:resources:list rms:resources:get	Viewing resource relationships and relationship details
rms:resources:list	Grants the permission to view resources.	To filter resources by enterprise project, eps:enterpriseProjects:list is required.	Viewing, filtering, and exporting resources.
rms:resources:get	Grants the permission to view resource details.	rms:resources:list To view resource compliance information, rms:policyAssignments:get is required. To view resource relationship information, rms:resources:getRelation is required. To view resource history, rms:resources:getHistory is required.	Viewing resource details

**Table 4** Actions and dependencies for the resource recorder¶
Action	Description	Dependencies	Applicable Scenario
rms:trackerConfig:get	Grants the permission to query the resource recorder.	iam:agencies:listAgencies smn:topic:list obs:bucket:ListAllMyBuckets	Viewing resource recorder configurations
rms:trackerConfig:put	Grants the permission to create and modify the resource recorder.	iam:agencies:listAgencies iam:roles:listRoles iam:permissions:grantRoleToAgency iam:agencies:createAgency	Enabling, configuring, and modifying the resource recorder.
rms:trackerConfig:delete	Grants the permission to disable the resource recorder.	rms:trackerConfig:get	Disabling the resource recorder.

**Table 5** Actions and dependencies for resource compliance¶
Action	Description	Dependencies	Applicable Scenario
rms:policyDefinitions:get	Grants the permission to view built-in policies.	None	Viewing built-in policies
rms:policyAssignments:update	Grants the permission to update rules.	rms:policyDefinitions:get rms:policyAssignments:create	Modifying, enabling, and disabling rules
rms:policyAssignments:create	Grants the permission to create rules.	To create a rule with a predefined policy, rms:policyDefinitions:get is required. To create a custom rule, the following permissions are required: iam:agencies:listAgencies iam:roles:listRoles iam:permissions:grantRoleToAgency iam:agencies:createAgency	Adding rules.
rms:policyAssignments:get	Grants the permission to view rules	None	Viewing rules and their details.
rms:policyAssignments:delete	Grants the permission to delete rules.	rms:policyAssignments:get	Deleting rules.
rms:policyStates:get	Grants the permission to query the state and evaluation result of a rule.	rms:policyAssignments:get	Querying the state and evaluation result of a rule. If you call an API to query the state and evaluation result of a rule, this action is required. If you use Config console, this action is not required.
rms:policyStates:runEvaluation	Grants the permission to run rules.	rms:policyAssignments:get	Manually triggering a rule.

**Table 6** Actions and dependencies for advanced queries¶
Action	Description	Dependencies	Applicable Scenario
rms:resources:runQuery	Grants the permission to run advanced queries.	rms:storedQueries:list rms:storedQueries:get	Running advanced queries
rms:storedQueries:create	Grants the permission to create queries.	None	Creating queries
rms:storedQueries:get	Grants the permission to view query statements.	rms:storedQueries:list	Viewing query statements
rms:storedQueries:list	Grants the permission to list queries.	None	Listing queries.
rms:storedQueries:update	Grants the permission to update query statements	rms:storedQueries:list rms:storedQueries:get	Modifying custom queries
rms:storedQueries:delete	Grants the permission to deleting queries.	rms:storedQueries:list	Deleting custom queries
rms:schemas:list	Listing advanced query schemas	None	Viewing resource attributes synchronized to Config.

last updated: 2024-11-13 14:00 UTC - commit: eb1f267ba56b00f5029ba8a8e402b01b07baad13