Evaluation Logic

Last updated: 2018-01-08 15:38:20

PDF

When a Tencent Cloud user accesses cloud resource, CAM determines whether to allow or deny the request using the following evaluation logic.

1) All requests are denied by default.

2) CAM checks all policies associated with the current user.

a. Root accounts can access all resources under their names by default. Currently, cross-account resource access is only supported for COS products.

b. Certain general policies associate all CAM users by default. For more information, please see the General Policy table below.

c. Other policies need to be explicitly specified, including "allow" and "deny" policies.

3) If "deny" policy is matched, the result is determined as "deny", and the resource access request is denied.

4) If "allow" policy is matched, the result is determined as "allow", and the resource access request is allowed.

5) If no policy is matched, the result is determined as "deny", and the resource access request is denied.

The following table contains general policies that are currently supported:

Policy Description Policy Definition
MFA verification is required for querying keys {
"principal":"",
"action":"name/account:QueryKeyBySecretId",
"resource":"
",
"condition":{"string_equal":{"mfa":"0"}}
}
MFA verification is required for sensitive configurations {
"principal":"",
"action":"name/account:SetSafeAuthFlag",
"resource":"
",
"condition":{"string_equal":{"mfa":"0"}}
}
MFA verification is required for binding tokens {
"principal":"",
"action":"name/account:BindToken",
"resource":"
",
"condition":{"string_equal":{"mfa":"0"}}
}
MFA verification is required for unbinding tokens {
"principal":"",
"action":"name/account:UnbindToken",
"resource":"
",
"condition":{"string_equal":{"mfa":"0"}}
}
MFA verification is required for modifying email address {
"principal":"",
"action":"name/account:ModifyMail",
"resource":"
",
"condition":{"string_equal":{"mfa":"0"}}
}
MFA verification is required for modifying phone number {
"principal":"",
"action":"name/account:ModifyPhoneNum",
"resource":"
",
"condition":{"string_equal":{"mfa":"0"}}
}