- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Best Practices
- Business Use Cases
- TencentDB for MySQL Cases
- CLB Cases
- CMQ Cases
- COS Cases
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM Cases
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC Cases
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD Cases
- Other Cases
- API Documentation
- Introduction
- API Category
- Making API Requests
- Policy APIs
- Role APIs
- CreateServiceLinkedRole
- DeleteRolePermissionsBoundary
- AttachRolePolicy
- DeleteServiceLinkedRole
- DescribeSafeAuthFlag
- CreateRole
- DeleteRole
- DescribeRoleList
- DetachRolePolicy
- GetServiceLinkedRoleDeletionStatus
- GetRole
- PutRolePermissionsBoundary
- ListAttachedRolePolicies
- UpdateAssumeRolePolicy
- UpdateRoleConsoleLogin
- UpdateRoleDescription
- Identity Provider APIs
- User APIs
- AddUser
- AddUserToGroup
- ConsumeCustomMFAToken
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- DescribeSubAccounts
- CreateGroup
- DeleteGroup
- DeleteUser
- GetCustomMFATokenInfo
- GetGroup
- ListAccessKeys
- GetUser
- ListGroups
- ListCollaborators
- ListGroupsForUser
- ListUsers
- ListUsersForGroup
- PutUserPermissionsBoundary
- RemoveUserFromGroup
- SetMfaFlag
- UpdateGroup
- UpdateUser
- STS APIs
- Data Types(CAM)
- Data Types(STS)
- Error Codes
- FAQs
- Glossary
- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Best Practices
- Business Use Cases
- TencentDB for MySQL Cases
- CLB Cases
- CMQ Cases
- COS Cases
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM Cases
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC Cases
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD Cases
- Other Cases
- API Documentation
- Introduction
- API Category
- Making API Requests
- Policy APIs
- Role APIs
- CreateServiceLinkedRole
- DeleteRolePermissionsBoundary
- AttachRolePolicy
- DeleteServiceLinkedRole
- DescribeSafeAuthFlag
- CreateRole
- DeleteRole
- DescribeRoleList
- DetachRolePolicy
- GetServiceLinkedRoleDeletionStatus
- GetRole
- PutRolePermissionsBoundary
- ListAttachedRolePolicies
- UpdateAssumeRolePolicy
- UpdateRoleConsoleLogin
- UpdateRoleDescription
- Identity Provider APIs
- User APIs
- AddUser
- AddUserToGroup
- ConsumeCustomMFAToken
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- DescribeSubAccounts
- CreateGroup
- DeleteGroup
- DeleteUser
- GetCustomMFATokenInfo
- GetGroup
- ListAccessKeys
- GetUser
- ListGroups
- ListCollaborators
- ListGroupsForUser
- ListUsers
- ListUsersForGroup
- PutUserPermissionsBoundary
- RemoveUserFromGroup
- SetMfaFlag
- UpdateGroup
- UpdateUser
- STS APIs
- Data Types(CAM)
- Data Types(STS)
- Error Codes
- FAQs
- Glossary
The Dashboard in the CAM Console contains six modules: CAM Resources, Login URL, Sensitive Operations, Last Login Info, Security Analysis Report, and Security Guide. This document describes each module in detail.
- Users associated with the
QcloudCamSummaryAccesspolicy can view the information of all modules when they log in to the console as shown below:
- Users not associated with the
QcloudCamSummaryAccesspolicy will only see the Login URL and Last Login Info modules as shown below:
The root account can authorize sub-accounts through theQcloudCamSummaryAccesspolicy as needed to allow them to view the Dashboard information in the console.
CAM Resources
The CAM resources module displays the numbers of users, user groups, custom policies, roles, and identity providers created under the current root account. You can create more resources by clicking the button below each resource quantity.
Login URL
The login URL module displays the login URL for the sub-user. Both the root account and the sub-account can copy the URL by clicking the Copy icon on the right of the URL.
- Sub-user login URL: applies to sub-users.
Sensitive Operations
The sensitive operations module displays the overview information of all sensitive operations under the current root account in the last 3 days (up to 50 entries). The displayed information includes account ID, operator ID, sensitive operation details, and operation time. You can also click View All Records to enter the Cloud Audit Console to view more detailed sensitive operation records.
Last Login Info
The last login info module displays the last login time, last login IP, identity security status, and shortcuts to manage API keys and manage MFA settings.
Security Analysis Report
The security analysis report module provides a Download report button. Click this button to get the security status of the current root account and sub-account, security risks discovered based on best practices, and recommended solutions. Each generated report will be cached for 4 hours.
Security Guide
Note:
For the security of your accounts and assets in Tencent Cloud, we strongly recommend you complete all the configurations in the security guide.
The security guide module provides basic CAM feature descriptions and necessary security operation guidance, such as binding MFA devices to root accounts, enabling account protection for root accounts, creating sub-accounts, and creating groups and adding sub-accounts.
- Operation permission: the Bind MFA device to root account and Enable account protection for root account features can only be used by the root account, while the other five features can be used by all authorized users.
- Feature status: each feature has two states: Not Completed and Completed. The root account user can view the status of each feature. Sub-accounts cannot view feature statuses.
- Feature links: sub-accounts with permissions can view feature descriptions and links by clicking the triangle icon on the left of each guide item. The following figure shows the security guide module the root account sees.
Binding MFA device to root account
Multi-factor authentication (MFA) is an additional layer of protection provided by Tencent Cloud in addition to username and password. Currently, two types of MFA devices are supported: hardware MFA devices and virtual MFA devices.
The root account user can click Bind MFA device below the detailed description to enter Security Settings. For detailed directions, please see:
Enabling account protection for root account
Account protection includes login protection and operation protection. If login protection is enabled, you need to verify your identity via MFA device when logging into Tencent Cloud. If operation protection is enabled, you need to complete multi-factor authentication for sensitive operations.
The root account user can click Enable Account Protection below the detailed description to enter Security Settings. For detailed directions, please see:
Creating sub-account
Sub-accounts include sub-users, collaborators, and message recipients. You can create sub-accounts with different responsibilities to assist you according to your business needs.
An authorized user can click Create User below the detailed description to create a user. For detailed directions, please see:
Creating group and adding sub-account
Creating user groups, assigning permissions to user groups, and adding users to user groups can help simplify permission management and review of sub-accounts.
An authorized user can click Create Group below the detailed description to create a user group. For detailed directions, please see:
Managing authorization policy
CAM supports two types of policies: preset policies and custom policies.
- A preset policy is a set of common permissions created and managed by Tencent Cloud at a coarse granularity. It is non-editable.
- A custom policy is created by yourself and allows you to assign permissions at a finer granularity. It is editable.
Assigning permissions to user groups or users simplifies the process of managing and reviewing the permissions of CAM users in your account.
An authorized user can click Create Custom Policy below the detailed description to enter the Policies page. For detailed directions, please see:
Enabling account protection for sub-account
An authorized user can select a sub-account in the user list and enable login protection and operation protection on the Security tab in the user's details page. MFA will then be required when the user logs in or performs sensitive operations. Currently, MFA modes supported for sub-accounts include virtual MFA device verification, hardware MFA device verification, and mobile verification code.
An authorized user can click Enable Account Protection for Sub-Account below the detailed description to enter the User List page. For detailed directions, please see:
Binding MFA device to sub-account
An authorized user can select a sub-user or collaborator in the user list and enable MFA device protection on the Security tab in the user's details page. The user will need to bind the MFA device upon next login.
An authorized user can click Bind MFA Device to Sub-Account below the detailed description to enter the User List page. For detailed directions, please see:
Use Limits
For more information on the limits of the number of sub-accounts, user groups, and policies allowed, please see Use Limits.
Was this page helpful?