HSS Actions¶
This section describes fine-grained permissions management for your HSS instances. If your account does not need individual IAM users, then you may skip over this section.
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the user can perform specified operations on cloud services based on the permissions.
You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. IAM uses policies to perform fine-grained authorization. A policy defines permissions required to perform operations on specific cloud resources under certain conditions.
Supported Actions¶
HSS provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. The following are related concepts:
Permissions: Allow or deny certain operations.
Actions: Specific operations that are allowed or denied.
Dependent actions: When assigning permissions for an action, you also need to assign permissions for the dependent actions.
HSS supports the following actions that can be defined in custom policies:
Actions¶
Permission | Action | Related Action |
|---|---|---|
Query the protected server list | hss:hosts:list | vpc:ports:get vpc:publicIps:list ecs:cloudServers:list |
Enable or disable protection on servers | hss:hosts:switchVersion |
|
Manual scan | hss:hosts:manualDetect |
|
Check the status of a manual scan | hss:manualDetectStatus:get |
|
Query weak password scan reports | hss:weakPwds:list |
|
Query account cracking protection reports | hss:accountCracks:list |
|
Unblock an IP address that was blocked during account cracking prevention | hss:accountCracks:unblock |
|
Query malicious program scan results | hss:maliciousPrograms:list |
|
Query remote login scan results | hss:abnorLogins:list |
|
Query important file change reports | hss:keyfiles:list |
|
Query the open port list | hss:ports:list |
|
Query the vulnerability list | hss:vuls:list |
|
Perform batch operations on vulnerabilities | hss:vuls:operate |
|
Query the account list | hss:accounts:list |
|
Query the software list | hss:softwares:list |
|
Query the web path list | hss:webdirs:list |
|
Query the process list | hss:processes:list |
|
Query configuration scan reports | hss:configDetects:list |
|
Query web shell scan results | hss:Webshells:list |
|
Query risky account scan reports | hss:riskyAccounts:list |
|
Obtain server risk statistics | hss:riskyDashboard:get |
|
Query password complexity policy scan reports | hss:complexityPolicys:list |
|
Perform batch operations on malicious programs | hss:maliciousPrograms:operate |
|
Perform batch operations on open ports | hss:ports:operate |
|
Perform operations on detected unsafe settings | hss:configDetects:operate |
|
Perform batch operations on web shells | hss:Webshells:operate |
|
Configure common login locations | hss:commonLocations:set |
|
Query common login locations | hss:commonLocations:list |
|
Configure common login IP addresses | hss:commonIPs:set |
|
Query common login IP addresses | hss:commonIPs:list |
|
Configure the login IP address whitelist | hss:whiteIps:set |
|
Query the login IP address whitelist | hss:whiteIps:list |
|
Configure weak passwords | hss:weakPwds:set |
|
Query weak passwords | hss:weakPwds:get |
|
Configure web paths | hss:webDirs:set |
|
Query web paths | hss:webDirs:get |
|
Obtain the list of servers where 2FA is enabled | hss:twofactorAuth:list |
|
Enable 2FA | hss:twofactorAuth:set |
|
Enable or disable automatic isolation and killing of malicious programs | hss:automaticKillMp:set |
|
Query the programs that have been automatically isolated and killed | hss:automaticKillMp:get |
|
Query the agent download address | hss:installAgent:get |
|
Uninstall an agent | hss:agent:uninstall |
|
Query HSS alarms | hss:alertConfig:get |
|
Configure HSS alarms | hss:alertConfig:set |
|
Query the WTP list | hss:wtpHosts:list | vpc:ports:get vpc:publicIps:list ecs:cloudServers:list |
Enable or disable WTP | hss:wtpProtect:switch |
|
Configure backup servers | hss:wtpBackup:set |
|
Query backup servers | hss:wtpBackup:get |
|
Configure protected directories | hss:wtpDirectorys:set |
|
Query the protected directory list | hss:wtpDirectorys:list |
|
Query WTP records | hss:wtpReports:list |
|
Configure privileged processes | hss:wtpPrivilegedProcess:set |
|
Query the privileged process list | hss:wtpPrivilegedProcesses:list |
|
Configure a protection mode | hss:wtpProtectMode:set |
|
Query the protection mode | hss:wtpProtectMode:get |
|
Configure a protected file system | hss:wtpFilesystems:set |
|
Query the protected file system list | hss:wtpFilesystems:list |
|
Configure scheduled protection | hss:wtpScheduledProtections:set |
|
Query scheduled protection | hss:wtpScheduledProtections:get |
|
Configure WTP alarms | hss:wtpAlertConfig:set |
|
Query WTP alarms | hss:wtpAlertConfig:get |
|
Query WTP statistics | hss:wtpDashboard:get |
|
Query policy group | hss:policy:get |
|
Configure a policy group | hss:policy:set |
|
Query the detected intrusion list | hss:event:get |
|
Perform operations on intrusions | hss:event:set |
|
Query server groups | hss:hostGroup:get |
|
Configure server groups | hss:hostGroup:set |
|
Monitor file integrity | hss:keyfiles:set |
|
Query important file change reports | hss:keyfiles:list |
|
Query the auto-startup list | hss:launch:list |
|