Checks whether multi-factor authentication (MFA) is enabled for each RAM user to whom you attached the specified policy.

Scenario

If you attach a high-risk policy to a RAM user, you must enable MFA for the RAM user. MFA enhances security for your account. If account theft occurs, MFA reduces the risk of malicious operations and business losses.

Risk level

Default risk level: low.

You can change the risk level as required when you apply this rule.

Compliance evaluation logic

  • If MFA is enabled for each RAM user to whom you attached the specified policy, the evaluation result is compliant.
  • If MFA is disabled for a RAM user to whom you attached the specified policy, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.

Rule details

Item Description
Rule name ram-risky-policy-user-mfa-check
Rule ID ram-risky-policy-user-mfa-check
Tag RAM and User
Automatic remediation Not supported
Trigger type Periodic execution
Time interval 24 hours
Supported resource type RAM user
Input parameter policyName

Non-compliance remediation

Enable MFA for the RAM user to whom you attach the specified policy. For more information, see Enable an MFA device for a RAM user.