- Product Introduction
- Supported Resource Types
- Purchase Guide
- Getting Started
- Operation Guide
- Resources
- Rule
- Managed Rules
- List of Managed Rule
- MFA on Sensitive Operations Required for CAM Users
- MFA on Login Required for CAM Users
- No Idle User Groups on CAM
- Association with User Group Required for CAM User
- No Authorization Policies Directly Added to CAM Sub-account
- No Administrator Access Permissions Granted to CAM Users, User Groups, or Roles
- Granting of Specific High-Risk Permissions by CAM Not Allowed
- No Idle Permission Policies on CAM
- CAM Login Permission Check
- Key of CAM User Rotated at Specified Interval
- Login by CAM User within Specified Time Range
- CVM Instance Associated with Specified Security Group
- CVM Instance Not Moved to Recycle Bin
- Association of CVM Instance with Specified Role
- CVM Instance Enabled Automatic Renewal
- Notification About Expiration for CVM Instance in Monthly Subscription or Pay-As-You-Go Mode
- No Idle Security Groups
- CVM Instance in VPC
- No CVM Instances Not Assigned to Project
- Inactive Duration of CVM Instance After Shutdown Not Exceeding Specified Number of Days
- Lease Duration of CVM Instance Meeting Requirement of Specified Number of Days
- CVM Instance Bound to IPv4 Public Address
- Specified Tag Existed for Resource
- Access to Remote Risky Ports by Security Group Not Allowed
- Access to All Ports by Security Group Not Allowed
- CBS Disk Enabled Arrear Protection
- CBS Disk Enabled Encryption
- Detachable CBS Disk Not Moved to Recycle Bin
- Number of Available IP Addresses in VPC Subnet Greater than Specified Value
- Expiration Protection for CVM Instance in Pay-As-You-Go Mode
- No Idle CBS Disks
- Using Rules
- Managing Rules
- Conformance Pack
- Settings
- FAQs
- Contact Us
- Glossary
- Product Introduction
- Supported Resource Types
- Purchase Guide
- Getting Started
- Operation Guide
- Resources
- Rule
- Managed Rules
- List of Managed Rule
- MFA on Sensitive Operations Required for CAM Users
- MFA on Login Required for CAM Users
- No Idle User Groups on CAM
- Association with User Group Required for CAM User
- No Authorization Policies Directly Added to CAM Sub-account
- No Administrator Access Permissions Granted to CAM Users, User Groups, or Roles
- Granting of Specific High-Risk Permissions by CAM Not Allowed
- No Idle Permission Policies on CAM
- CAM Login Permission Check
- Key of CAM User Rotated at Specified Interval
- Login by CAM User within Specified Time Range
- CVM Instance Associated with Specified Security Group
- CVM Instance Not Moved to Recycle Bin
- Association of CVM Instance with Specified Role
- CVM Instance Enabled Automatic Renewal
- Notification About Expiration for CVM Instance in Monthly Subscription or Pay-As-You-Go Mode
- No Idle Security Groups
- CVM Instance in VPC
- No CVM Instances Not Assigned to Project
- Inactive Duration of CVM Instance After Shutdown Not Exceeding Specified Number of Days
- Lease Duration of CVM Instance Meeting Requirement of Specified Number of Days
- CVM Instance Bound to IPv4 Public Address
- Specified Tag Existed for Resource
- Access to Remote Risky Ports by Security Group Not Allowed
- Access to All Ports by Security Group Not Allowed
- CBS Disk Enabled Arrear Protection
- CBS Disk Enabled Encryption
- Detachable CBS Disk Not Moved to Recycle Bin
- Number of Available IP Addresses in VPC Subnet Greater than Specified Value
- Expiration Protection for CVM Instance in Pay-As-You-Go Mode
- No Idle CBS Disks
- Using Rules
- Managing Rules
- Conformance Pack
- Settings
- FAQs
- Contact Us
- Glossary
Granting of Specific High-Risk Permissions by CAM Not Allowed
Last updated: 2024-03-04 15:58:29
Rule purpose: Check whether CAM has granted specific high-risk permissions.
Compliance evaluation logic: When no CAM users, user groups, or roles are granted specific high-risk permissions, the evaluation result is "compliant".
Rule Identifier:
cam-user-risky-policy-bound.Risk Level: Low
Applicable resource type:
QCS::CAM::User, QCS::CAM::Group, QCS::CAM::Role.Rule trigger type: Periodic execution, every 24 hours.
Keyword: User, user group, role, policy.
Rule parameter:
Parameter name | Default value | Relationship |
policies | AdministratorAcces | Contains |
Yes
No
Was this page helpful?