Identity and Access Management

      Documentation Identity and Access Management Tutorials Use IAM to limit the IP addresses that are allowed to access Kingsoft Cloud resources

      Use IAM to limit the IP addresses that are allowed to access Kingsoft Cloud resources

      Last updated:2021-10-29 17:57:30

      This topic describes how to use IAM to limit the IP addresses that are allowed to access Kingsoft Cloud resources. This enhances access security.

      Background

      Enterprise A has purchased multiple types of Kingsoft Cloud resources. To ensure business and data security, the enterprise requires users to access Kingsoft Cloud resources only from the IP addresses of the private network of the enterprise.

      Solution

      To authorize an IAM user to access Kingsoft Cloud resources only from specific IP addresses, you can create a custom policy and attach the policy to the IAM user.

      Step 1: Create a custom policy

      1. Log in to the IAM console.
      2. In the left navigation pane, choose Permissions > Policies. The Policies page appears.
      3. Click the Custom Policies tab.
      4. Click Create Policy. On the Create Policy page, set the Policy and Remarks parameters in the Set Policy Information section.
      5. In the Select Policy Type section, select Policy grammar and select a policy template. Click Next and edit the policy.
      Sample policy:
{
	"Version": "2015-11-01",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "kec:*",
			"Resource": "*",
			"Condition": {
				"IpAddress": {
					"ksc:SourceIp": [
						"192.168.0.0/16"
					]
				}
			}
		}
	]
}
      1. Click Create strategy.

      Step 2: Create an IAM user

      1. Log in to the IAM console.

      2. In the left navigation pane, choose Identities > Subusers. The Subusers page appears.

      3. Click Create User. The Create User page appears.

      4. Enter the required information in the User login information section as prompted.

        Username: the username of the IAM user. This parameter is required. After the IAM user is created, the username cannot be changed.
        Display name: the display name of the IAM user. You can define it based on your business requirements. This parameter is required.
        E-mail: the email address for receiving messages. This parameter is optional.
        Cellphone number: the phone number for receiving messages. This parameter is optional.
        Receive message: Specifies whether to receive messages. After it is enabled, the E-mail and Cellphone number parameters are required.

      5. Select an access mode in the Access Mode section. To ensure your account security, we recommend that you select only one access mode.

        Console Password Logon: If you select this access mode, you need to set the Console Password, Password Reset, Login Protection, Operation Protection, and Sub-users view all items parameters.
        Programmatic Access: If you select this access mode, the system automatically generates an AccessKey for the IAM user. The IAM user can access Kingsoft Cloud by using API operations or other development tools.

      6. Click Submit.

      Step 3: Grant permissions to the IAM user

      1. Log in to the IAM console.
      2. In the left navigation pane, choose Permissions > Policies. The Policies page appears.
      3. Find the target policy and click Associated object in the Actions column.
      4. In the Associated object panel, select the target IAM user.
      5. Click OK.
      Previous:Configure SSO
      Next:Configure a password security policy

      Did you find the above information helpful?

      Unhelpful
      Mostly Unhelpful
      A little helpful
      Helpful
      Very helpful

      What might be the problems?

      Insufficient
      Outdated
      Unclear or awkward
      Redundant or clumsy
      Lack of context for the complex system or functionality

      More suggestions

      0/200

      Please give us your feedback.

      Submitted

      Thank you for your feedback.

      问题反馈