CAM Overview

Last updated: 2020-02-25 16:28:25

PDF

Access Management console The overview page consists of five modules: Access Management ResourcesLogin URLSensitive OperationLast Login InfoSecurity Guide . Each module is described below.

  • With QcloudCamSummaryAccess strategy Permission's users log in to the console and can view the information of all modules
  • None QcloudCamSummaryAccess strategy Permission's users log on to the console and can only view Login URL and Last Login Info , as shown below:
    The main account can be accessed through QcloudCamSummaryAccess strategy Authorize the required sub-account, allowing the sub-account to view the information on the overview page of the console.

Access Management Resources

The Access management resource module displays the number of users, user groups, custom policies, roles and identity provider (IdP) created under the current main account. You can go to the corresponding creation page by clicking the button below the quantity.

Login URL

The login link module shows the login links for sub-users. Both the main account and the sub-account can copy the link through the copy button on the right side of the link.

  • Sub-user login link: applies to sub-users.

Sensitive Operation

The sensitive operation module displays an overview of all sensitive operations under the current main account in the last 3 days (up to 50 entries), including account ID, operator ID, detailed sensitive operations and operation time. Users can also click "View all Records" to enter the cloud audit console to view more detailed sensitive operation records.

Last Login Info

The last login information module shows the last login time of the current account and the last login to IP.

Security Guide

In order to ensure the security of your account and assets on the cloud, we strongly recommend that you complete all settings under the security guidelines.

The security guidance module provides users with basic CAM features and necessary security operation instructions, including binding MFA Device to the main account, enabling account protection for the main account, creating sub-accounts and creating groups and adding sub-accounts, etc.

  • Operation permission: Bind root account to MFA device and Enable account protection for root account Only the main account has the operation Permission of the two settings, and all authorized users can operate the other five settings.
  • Guidance status: each guide item is divided into Not completed and Done Two states. The status of each guide item can be seen when the main account logs in to the console, and the status cannot be viewed by Permission's sub-account.
  • Set up Entry: the sub-account with Permission can view the corresponding function introduction and corresponding setting Entry by clicking the triangle symbol on the left side of each guide item. The following figure shows an example of the security guidance module after the main account logs in to the console.

Bind root account to MFA device

Multi-factor authentication (MFA) is an additional layer of protection provided by Tencent Cloud in addition to username and password. Currently, two types of MFA devices are supported: hardware MFA devices and virtual MFA devices.
The main account can click "unbind MFA Device" below the detailed description to enter the specific settings page. For more information, please see:

Enable account protection for root account

Account protection is divided into login protection and operation protection. When login protection is enabled, you need to complete authentication through MFA verification when logging in to Tencent Cloud. After you turn on the operation protection, you need to go through multi-factor authentication before you do the sensitive operation to ensure that you operate it yourself.
The main account can click "to enable account Protection" below the detailed description to enter the specific settings page. For more information, please see:

Create a sub-account

Sub-account types are divided into sub-users, collaborators and message recipients. You can choose to create sub-accounts with different responsibilities to assist you according to your business needs.
Users with Permission can click "create user" below the detailed introduction to enter the specific settings page. For more information, please see:

Create a group and add a sub-account

Creating, assigning permissions to and adding users to user groups can help simplify permission management and review of sub-accounts.
Users with Permission can click "create Group" below the detailed introduction to enter the specific settings page. For more information, please see:

Manage authorization policy

CAM supports two types of policies: preset policies and custom policies.

  • Preset policies are some common Permission collections created and managed by Tencent Cloud. They are coarse-grained and cannot be edited by users.
  • Custom policy is a policy created by the user, which allows fine-grained Permission division and user editing.

Give it to the user group or user Assign Permission to simplify the Permission management and audit of CAM users in your account.
Users with Permission can click "create Custom Policy" below the detailed introduction to enter the specific settings page. For more information, please see:

Enable account protection for sub accounts

Select a sub-account from the user list, and enable login protection and operation protection on the "Security" page. When enabled, users will perform multi-factor authentication when logging in or performing sensitive operations. Currently, the secondary identity verification methods for sub-accounts are virtual MFA Device verification, hardware MFA Device verification, and mobile verification code verification.
Users with Permission can click "enable account Protection for Sub-users" below the detailed introduction to enter the specific settings page. For more information, please see:

How to bind MFA device to sub-accounts

Select a sub-user or collaborator in the user list, enable account protection on the security page and select the MFA mode. The user will be bound to MFA device next time the user logs in.
Users with Permission can click bind MFA Device to sub-account below the detailed introduction to enter the specific settings page. For more information on the steps, please see: