You can use Identity and Access Management (IAM) to implement fine-grained permissions control for your Config resources. With IAM, you can:
- Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing Config resources.
- Grant users only the permissions required to perform a given task based on their job responsibilities.
- Entrust an account or a cloud service to perform efficient O&M on your Config resources.
If your account meets your permissions requirements, you can skip this section.
Figure 1 shows the process flow of granting Config permissions.
Prerequisites
Before granting permissions, learn about permissions for Config. To grant permissions for other services, see permissions.
Process Flow
- On the IAM console, create a user group and assign permissions to it (Config ReadOnlyAccess as an example).
- Create an IAM user and add it to the created group.
- Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- Choose Service List > Config. In the navigation pane on the left, click Resource Compliance. On the displayed page, click Add Rule under the Rules tab. If a message appears indicating that you have insufficient permissions to perform the operation, the Config ReadOnlyAccess policy is in effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the Config ReadOnlyAccess policy is in effect.
- Choose Service List > Config and check if you can view queries in the Advanced Queries page. If yes, the Config ReadOnlyAccess policy is in effect.