This topic describes the managed rules that are related to Resource Access Management (RAM) and the rectification methods that target at non-compliant RAM resources.

Rule name: ram-user-mfa-check

Checks whether multi-factor authentication (MFA) is enabled for a RAM user under your account.

Trigger type: configuration change

Applicable resource type: ACS::RAM::User

Input parameter: none

Non-compliance description: MFA is not enabled for a RAM user under your account. In this case, the rule considers the RAM user as non-compliant. Rectification method: Enable MFA for the RAM user. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes. You can rectify resource non-compliance in the RAM console or by calling the UpdateLoginProfile operation.

  • To enable MFA for the RAM user in the RAM console, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose Identities > Users. On the page that appears, click the name of the target RAM user. On the Authentication tab, click Modify Logon Settings in the Console Logon Management section. In the right-side pane that appears, set Enable MFA to Required and click OK. For more information, see Enable an MFA device for a RAM user.

  • You can also call the UpdateLoginProfile operation and set MFABindRequired to true to enable MFA for the RAM user. For more information, see UpdateLoginProfile.