Setup
Set Alias of the Account
- Set alias for your account, you can get an easy-to-understand IAM user login link.
- If you choose to log in via APP, the corresponding master account is also filled with the alias of the account defined here.
Operation steps
- Enter the console, move the mouse to the head portrait at the upper right corner of the page, and enter the identity and access management > Setting
- Edit the part Set Alias for the Account
E.g.: Set the alias of the account as test_123
, the login link of PC is simplified into http://test_123.login.bce.baidu.com
, the alias of the master account is filled as test_123
if you log in via APP.
Security Setting
Set the Password Policy
The customized password policy is used to enforce the password strength, validity period, etc. to ensure your account security. Currently, the password policies supported and configured by Baidu AI Cloud include:
- Password length: Fill in 8 bits by default, ranging from 8 to 32 bits;
- It at least includes: Multiple choice, you can select "uppercase", "lowercase", "numbers", "special character(
!"#$%&’()*+,-./:;<=>?@[]^_>{¦©}<
)"; to select a certain element means that the password must contain at least one of the elements; for example, if the "uppercase" and "lowercase" are selected, then the password must contain at least one uppercase and one lowercase letter; - Validity period of the password: It is 0 day by default, indicating permanent validity and ranging from 0 to 1095; the console pops a message up within 3 days after the password expires, please change the password timely;
- Policy after the expiration of password:
- Unrestricted login, indicating that the IAM user can still log into the console after the expiration of password, but the password must be reset;
- Restricted login, indicating that the IAM user cannot log into the console after the expiration of the password, but the administrator must reset the password;
- Historical password check: It defaults to be 1 time, indicating that the password cannot be repeated with the previous one, ranging from 0 to 24;
- Restriction on password retry: If you log in with the wrong password for more than a certain number of times within an hour, the account is locked for an hour, with the default of 5 times, ranging 0 to 32, among which the number 0 is restriction free;
Set the Expiration Time of Session
The log-in session expiration refers to that if no operation is made within the valid time after the user logs in, the system clears up the session information of the current user automatically to ensure the security of the account. You need to log in the console again after the expiration of the session.
Note
- The time is set ranging from 15 minutes to 23 hours and 59 minutes, and the default expiration time is 1 hour, which can be set by the user according to the actual situation.
- This feature works for both the root and IAM user at the same time.
IP Whitelist
Set IP whitelist for all services used on IAM. When IAM users log onto the console directly or access the resources of Baidu AI Cloud by using OpenAPI or SDK, the source IP must be from IP whitelist.
Currently, IP whitelist supports:
- Restrict the IAM users from logging into the console, which is to restrict the IP that is not in the whitelist from logging in the console for operations;
- Restrict the program from accessing to cloud resources, which is to restrict the IP that is not in the whitelist from accessing the cloud resources through OpenAPI or SDK. See below for the list of cloud services that currently support the program to access the restricted cloud services.
You can choose to restrict only the IAM user from login or restrict the program access, or both.
Filling Requirements of IP Whitelist
Fill in the IP address or IP section that allows access.
- If IP whitelist is not set, it defaults to be the whole network.
- You need to add more than one IP, separate them with a comma or a space.
- If you fill in the IP segment, such as 10.10.10.0/24, it means that IP address of 10.10.10.X is accessible, and supports the CIDR mode.
AccessKey Leakage monitoring and Warning
On the basis that the user configures the IP whitelist, he can choose to enable the feature of AccessKey leakage monitoring and warning, which may trigger the instance warning provided by BCM after the AccessKey access of IP from non-whitelist reaches a certain number of times within a certain time, thus helping the customers to find the potential AccessKey leakage in a timely manner and protecting the asset security of the cloud account effectively.
AccessKey (hereinafter referred to as AK) leakage monitoring and alarm uses BCM event monitoring capability, and the following two steps need completing for specific opening:
-
Enable the AK leakage monitoring and warning in the setting module of identity and access management;
- Configure the event monitoring of BCT service at the Event Monitoring module of the cloud monitoring BCM;
Enable the AK leakage monitoring and warning
After the IP whitelist feature is enabled, click the button "Enable" at the option AK Leakage Monitoring and Warning to complete the identity and access management, and jump to the event monitoring module of BCM next and configure accordingly.
Configure event warning
In the event monitoring of BCM, complete the configuration of warning policy and warning action:
- Click the button Create Warning Policy;
-
Fill in the policy name at the policy information module, select the service as Cloud Audit BCT, with the default region of global, and the others default options remain;
- In the warning action module, select the configured warning action, push the warning information to corresponding contact person or group; if you have not configured any warning, Add Warning Action at first. Please refer to Configuration of Warning Action for more details
Upon the completion of configuration, as long as the AK call from the non-IP whitelist meets the trigger conditions of warning, the corresponding contact person or group is notified according to the warning action configured in BCM. Upon the receipt of the warning, relevant personnel are recommended to view the detailed access records in Cloud Audit according to the notification to confirm whether the access is secure.
List of services that supports the programmatic access to cloud resource IP restrictions
Computation
Production name |
---|
Baidu Cloud Compute (BCC) |
Baidu Baremetal Compute (BBC) |
Baidu Application Engine (BAEPRO) |
Baidu Container Instance BCI |
Cloud Container Engine (CCE) |
Cloud Function Compute (CFC) |
Dedicated Cloud Compute (DCC) |
Network
Production name |
---|
Elastic IP (EIP) |
Baidu Load balance (BLB) |
Cloud DNS |
Virtual Private Cloud (VPC) |
Storage and CDN
Production name |
---|
Content Delivery Network (CDN) |
Baidu Object Storage (BOS) |
Cloud File Storage (CFS) |
Baidu Storage Gateway (BSG) |
Security and management
Production name |
---|
Anti-DDoS Service (ADAS) |
Baidu Cloud Monitoring (BCM) |
Baidu Cloud Security (BSS) |
Data analysis
Production name |
---|
Baidu MapReduce (BMR) |
Baidu Stream Compute (BSC) |
Baidu Data Science Platform JARVIS |
Baidu Message Service KAFKAI |
Database
Production name |
---|
Relational Database Service (RDS) |
Simple Cache Service (SCS) |
Cloud database HTAP for CockroachDB |
Cloud database DocDB for MongoDB |
Website service
Production name |
---|
Hosteye Management Service (HME) |
Baidu Cloud Hosting (BCH) |
Baidu Could Domain Service (BCD) |
IoT service
Production name |
---|
Time Series Database ( TSDB) |
Rule Engine |
IoT Parser |
IoT Device |
Intelligent scheduling (ILS) |
DuGo - AI Auto Cloud |
Intelligent scheduling (ILS) |
Hangu IOT Secure Kit (HISK) |
Intelligent multi-media service
Production name |
---|
Documentation Service (DOC) |
Live Streaming Service (LSS) |
Real-time audio/video communication (RTC) |
Video on demand (VOD) |
AI
Production name |
---|
OCR capacity engine AI_OCR |
Face capacity engine AI_FACE |
Baidu Machine Learning AI_BML |
Blockchain
Production name |
---|
Baidu Blockchain engine (BBE) |