You can enable multi-factor authentication (MFA) for a RAM user to enhance the logon security of the RAM user. The ram-risky-policy-user-mfa-check managed rule that Cloud Config provides can check whether MFA is enabled for all RAM users. To check whether MFA is enabled for a specified RAM user, such as a RAM user who is authorized to perform high-risk operations, you must use a custom rule.

Prerequisites

Parameters

To create a custom rule in Cloud Config, you must set the following items in the consoles of Cloud Config, MNS, RAM, and Function Compute, as described in the following table.
Cloud service Item Example
Cloud Config Rule RAMUserMFA
Trigger type Configuration change and periodic
Time intervals 1 Hour
Name of the input parameter dangerousActions
Expected value of the input parameter ecs:*,oss:*,log:*
MNS Topic MNSTestConfig
Region Singapore (Singapore)
Note

Cloud Config is deployed in the Singapore (Singapore) region. To reduce packet loss, we recommend that you specify Singapore (Singapore) as the region for the MNS topic.

RAM RAM user name Alice
RAM user ID 25849250231246****
Policy AliyunECSFullAccess
Function Compute Service Ram_User
Function RamDangerousPolicyUserBindMFA

Workflow

The following figure shows the procedure that you can follow to create a custom rule to check whether MFA is enabled for a RAM user. Workflow

Procedure

  1. Create a service.
    1. Log on to the Function Compute console.
    2. In the top navigation bar, select a region,such as Singapore.
    3. In the left-side navigation pane, click Services and Functions.
    4. In the Services section, click Create Service.
    5. On the Create Service page, enter Ram_User in the Service Name field. Clear the Bind Log check box.
    6. Click Submit.
  2. Create a function.
    1. On the details page of the Ram_User service, click Create Function.
    2. On the Create Function page, move the pointer to the Event Function section and click Configure and Deploy.
    3. On the Create Function page, set the Service Name parameter to Ram_User, the Function Name parameter to RamDangerousPolicyUserBindMFA, and the Runtime parameter to python3. Keep the default settings of other parameters.
      Create a function
    4. Click Create.
  3. Set the environment variable of the function.
    1. On the details page of the RamDangerousPolicyUserBindMFA function, click the Overview tab.
    2. In the Function Properties section of the Overview tab, click Modify Configurations.
    3. On the Modify Configurations page, set the Environment Variables parameter to Key Value. Enter the key and value of each environment variable.
      Key Value description Example
      AK The AccessKey ID of your Alibaba Cloud account. For more information about how to obtain the AccessKey ID, see Obtain an AccessKey pair. LTAI4G6JZSANb8MZMkm1****
      SK The AccessKey secret of your Alibaba Cloud account. For more information about how to obtain the AccessKey secret, see Obtain an AccessKey pair. EMLHThhpD2UJqH1DXuAKii2sI****
      ResourceTypes The type of the resource. ACS::RAM::User
    4. Click Submit.
  4. Configure the function code that checks whether MFA is enabled for a RAM user.
    1. On the details page of the RamDangerousPolicyUserBindMFA function, click the Code tab. In the code editor, select the index.py file.
    2. Copy and paste the following code to the index.py file:
      The code checks whether MFA is enabled for a RAM user. The following table describes the main parameters in the code.
      Parameter Description Example
      AK The AccessKey ID of your Alibaba Cloud account. The value must be the same as the AccessKey ID specified in Step 3. LTAI4FgrMeKLB7NqDmPe****
      SK The AccessKey secret of your Alibaba Cloud account. The value must be the same as the AccessKey secret specified in Step 3. dylEiakiwLFB1CufDyxyCwlCxZ****
      user_name The name of the RAM user. N/A
      rule_parameters The input parameter of the rule. dangerousActions
      input_actions The high-risk operations that you want to manage. ecs:*,oss:*,log:*
      configuration_item The configuration items of the resource. For more information, see What is the data structure of functions that can be used to create custom rules?
      Note The sample code is used to check whether MFA is enabled for a specified RAM user. For more information about other parameters that can be used to check RAM users, see What is the data structure of functions that can be used to create custom rules?
    3. In the code editor click, Deploy in the upper-right corner.
  5. Create a custom rule.
    1. Log on to the Cloud Config console.
    2. In the left-side navigation pane, click Rules.
    3. On the Rules page, click Create Rule.
    4. On the Create Rule page, click Create Custom Rule.
    5. In the Function ARN section of the Properties step, set the Region parameter to Singapore, the Service parameter to Ram_User, and the Function parameter to RamDangerousPolicyUserBindMFA. Enter RamUserMFA in the Rule Name field, select Configuration Change and Periodical Execution for the Trigger Type parameter, set the Frequency parameter to 1 Hour, and then click Next.
      Create a custom rule
    6. In the Assess Resource Scope step, click Custom Resource Types, select RAM User as the resource type to be associated with the rule and then click Next.
      Assess Resource Scope
    7. In the Parameters step, click Add Rule Parameter. Set the Key parameter to dangerousActions and the Expected Value parameter to ecs:*,oss:*,log:*. Click Next.
      Parameters
      Note The name and expected value of the input parameter must match the values of the rule_parameters and input_actions parameters specified in Stpe 4.
    8. In the Modify step, click Next.
    9. In the Preview and Save step, check the configurations and click Submit.
  6. View the compliance evaluation result of RAM user Alice.
    1. Click View Details.
    2. Click the Result tab.
    3. In the Compliance Result of Related Resources section of the Result tab, click the ID of the RAM user to view the compliance evaluation result.
      View the compliance evaluation result
  7. Specify an MNS topic to which resource non-compliance events are delivered.
    Specify the MNSTestConfig MNS topic to which resource non-compliance events are delivered. After the configuration is complete, MNS sends notifications to you when resource non-compliance events occur. For more information, see Send notifications of resource events to an MNS topic.