HSS Actions

This section describes fine-grained permissions management for your HSS instances. If your account does not need individual IAM users, then you may skip over this section.

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the user can perform specified operations on cloud services based on the permissions.

You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. IAM uses policies to perform fine-grained authorization. A policy defines permissions required to perform operations on specific cloud resources under certain conditions.

Supported Actions

HSS provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. The following are related concepts:

  • Permissions: Allow or deny certain operations.

  • Actions: Specific operations that are allowed or denied.

  • Dependent actions: When assigning permissions for an action, you also need to assign permissions for the dependent actions.

HSS supports the following actions that can be defined in custom policies:

Actions

Permission

Action

Related Action

Query the protected server list

hss:hosts:list

vpc:ports:get

vpc:publicIps:list

ecs:cloudServers:list

Enable or disable protection on servers

hss:hosts:switchVersion

-

Manual scan

hss:hosts:manualDetect

-

Check the status of a manual scan

hss:manualDetectStatus:get

-

Query weak password scan reports

hss:weakPwds:list

-

Query account cracking protection reports

hss:accountCracks:list

-

Unblock an IP address that was blocked during account cracking prevention

hss:accountCracks:unblock

-

Query malicious program scan results

hss:maliciousPrograms:list

-

Query remote login scan results

hss:abnorLogins:list

-

Query important file change reports

hss:keyfiles:list

-

Query the open port list

hss:ports:list

-

Query the vulnerability list

hss:vuls:list

-

Perform batch operations on vulnerabilities

hss:vuls:operate

-

Query the account list

hss:accounts:list

-

Query the software list

hss:softwares:list

-

Query the web path list

hss:webdirs:list

-

Query the process list

hss:processes:list

-

Query configuration scan reports

hss:configDetects:list

-

Query web shell scan results

hss:Webshells:list

-

Query risky account scan reports

hss:riskyAccounts:list

-

Obtain server risk statistics

hss:riskyDashboard:get

-

Query password complexity policy scan reports

hss:complexityPolicys:list

-

Perform batch operations on malicious programs

hss:maliciousPrograms:operate

-

Perform batch operations on open ports

hss:ports:operate

-

Perform operations on detected unsafe settings

hss:configDetects:operate

-

Perform batch operations on web shells

hss:Webshells:operate

-

Configure common login locations

hss:commonLocations:set

-

Query common login locations

hss:commonLocations:list

-

Configure common login IP addresses

hss:commonIPs:set

-

Query common login IP addresses

hss:commonIPs:list

-

Configure the login IP address whitelist

hss:whiteIps:set

-

Query the login IP address whitelist

hss:whiteIps:list

-

Configure weak passwords

hss:weakPwds:set

-

Query weak passwords

hss:weakPwds:get

-

Configure web paths

hss:webDirs:set

-

Query web paths

hss:webDirs:get

-

Obtain the list of servers where 2FA is enabled

hss:twofactorAuth:list

-

Enable 2FA

hss:twofactorAuth:set

-

Enable or disable automatic isolation and killing of malicious programs

hss:automaticKillMp:set

-

Query the programs that have been automatically isolated and killed

hss:automaticKillMp:get

-

Query the agent download address

hss:installAgent:get

-

Uninstall an agent

hss:agent:uninstall

-

Query HSS alarms

hss:alertConfig:get

-

Configure HSS alarms

hss:alertConfig:set

-

Query the WTP list

hss:wtpHosts:list

vpc:ports:get

vpc:publicIps:list

ecs:cloudServers:list

Enable or disable WTP

hss:wtpProtect:switch

-

Configure backup servers

hss:wtpBackup:set

-

Query backup servers

hss:wtpBackup:get

-

Configure protected directories

hss:wtpDirectorys:set

-

Query the protected directory list

hss:wtpDirectorys:list

-

Query WTP records

hss:wtpReports:list

-

Configure privileged processes

hss:wtpPrivilegedProcess:set

-

Query the privileged process list

hss:wtpPrivilegedProcesses:list

-

Configure a protection mode

hss:wtpProtectMode:set

-

Query the protection mode

hss:wtpProtectMode:get

-

Configure a protected file system

hss:wtpFilesystems:set

-

Query the protected file system list

hss:wtpFilesystems:list

-

Configure scheduled protection

hss:wtpScheduledProtections:set

-

Query scheduled protection

hss:wtpScheduledProtections:get

-

Configure WTP alarms

hss:wtpAlertConfig:set

-

Query WTP alarms

hss:wtpAlertConfig:get

-

Query WTP statistics

hss:wtpDashboard:get

-

Query policy group

hss:policy:get

-

Configure a policy group

hss:policy:set

-

Query the detected intrusion list

hss:event:get

-

Perform operations on intrusions

hss:event:set

-

Query server groups

hss:hostGroup:get

-

Configure server groups

hss:hostGroup:set

-

Monitor file integrity

hss:keyfiles:set

-

Query important file change reports

hss:keyfiles:list

-

Query the auto-startup list

hss:launch:list

-