Use a custom rule to check whether MFA is enabled for a specified RAM user - Best Practices| Alibaba Cloud Documentation Center

You can enable multi-factor authentication (MFA) for a RAM user to enhance the logon security of the RAM user. The ram-risky-policy-user-mfa-check managed rule that Cloud Config provides can check whether MFA is enabled for all RAM users. To check whether MFA is enabled for a specified RAM user, such as a RAM user who is authorized to perform high-risk operations, you must use a custom rule.

Prerequisites

Message Service (MNS) is activated. For more information, see Activate MNS and authorize RAM users to access MNS.
Function Compute is activated. For more information, see Create a function in the Function Compute console.
A RAM user named Alice is created. The AliyunECSFullAccess system policy is attached to the RAM user to allow the RAM user to manage Elastic Compute Service (ECS) resources. For more information, see Create a RAM user and Grant permissions to a RAM user.

Parameters

To create a custom rule in Cloud Config, you must set the following items in the consoles of Cloud Config, MNS, RAM, and Function Compute, as described in the following table.


Cloud service	Item	Example
Cloud Config	Rule	RAMUserMFA
	Trigger type	Configuration change and periodic
	Time intervals	1 Hour
	Name of the input parameter	dangerousActions
	Expected value of the input parameter	ecs:,oss:,log:*
MNS	Topic	MNSTestConfig
MNS	Region	Singapore (Singapore) Note Cloud Config is deployed in the Singapore (Singapore) region. To reduce packet loss, we recommend that you specify Singapore (Singapore) as the region for the MNS topic.
RAM	RAM user name	Alice
	RAM user ID	25849250231246****
	Policy	AliyunECSFullAccess
Function Compute	Service	Ram_User
Function Compute	Function	RamDangerousPolicyUserBindMFA

Workflow

The following figure shows the procedure that you can follow to create a custom rule to check whether MFA is enabled for a RAM user. Workflow

Procedure

Create a service.
1. Log on to the Function Compute console.
2. In the top navigation bar, select a region,such as Singapore.
3. In the left-side navigation pane, click Services and Functions.
4. In the Services section, click Create Service.
5. On the Create Service page, enter Ram_User in the Service Name field. Clear the Bind Log check box.
6. Click Submit.
Create a function.
1. On the details page of the Ram_User service, click Create Function.
2. On the Create Function page, move the pointer to the Event Function section and click Configure and Deploy.
3. On the Create Function page, set the Service Name parameter to Ram_User, the Function Name parameter to RamDangerousPolicyUserBindMFA, and the Runtime parameter to python3. Keep the default settings of other parameters.
4. Click Create.

Set the environment variable of the function.

On the details page of the RamDangerousPolicyUserBindMFA function, click the Overview tab.
In the Function Properties section of the Overview tab, click Modify Configurations.

On the Modify Configurations page, set the Environment Variables parameter to Key Value. Enter the key and value of each environment variable.


Key	Value description	Example
AK	The AccessKey ID of your Alibaba Cloud account. For more information about how to obtain the AccessKey ID, see Obtain an AccessKey pair.	LTAI4G6JZSANb8MZMkm1****
SK	The AccessKey secret of your Alibaba Cloud account. For more information about how to obtain the AccessKey secret, see Obtain an AccessKey pair.	EMLHThhpD2UJqH1DXuAKii2sI****
ResourceTypes	The type of the resource.	ACS::RAM::User

Click Submit.

Configure the function code that checks whether MFA is enabled for a RAM user.

On the details page of the RamDangerousPolicyUserBindMFA function, click the Code tab. In the code editor, select the index.py file.

Copy and paste the following code to the index.py file:

The code checks whether MFA is enabled for a RAM user. The following table describes the main parameters in the code.


Parameter	Description	Example
AK	The AccessKey ID of your Alibaba Cloud account. The value must be the same as the AccessKey ID specified in Step 3.	LTAI4FgrMeKLB7NqDmPe****
SK	The AccessKey secret of your Alibaba Cloud account. The value must be the same as the AccessKey secret specified in Step 3.	dylEiakiwLFB1CufDyxyCwlCxZ****
user_name	The name of the RAM user.	N/A
rule_parameters	The input parameter of the rule.	dangerousActions
input_actions	The high-risk operations that you want to manage.	ecs:,oss:,log:*
configuration_item	The configuration items of the resource.	For more information, see What is the data structure of functions that can be used to create custom rules?

Note The sample code is used to check whether MFA is enabled for a specified RAM user. For more information about other parameters that can be used to check RAM users, see What is the data structure of functions that can be used to create custom rules?

In the code editor click, Deploy in the upper-right corner.

Create a custom rule.
1. Log on to the Cloud Config console.
2. In the left-side navigation pane, click Rules.
3. On the Rules page, click Create Rule.
4. On the Create Rule page, click Create Custom Rule.
5. In the Function ARN section of the Properties step, set the Region parameter to Singapore, the Service parameter to Ram_User, and the Function parameter to RamDangerousPolicyUserBindMFA. Enter RamUserMFA in the Rule Name field, select Configuration Change and Periodical Execution for the Trigger Type parameter, set the Frequency parameter to 1 Hour, and then click Next.
6. In the Assess Resource Scope step, click Custom Resource Types, select RAM User as the resource type to be associated with the rule and then click Next.
7. In the Parameters step, click Add Rule Parameter. Set the Key parameter to dangerousActions and the Expected Value parameter to ecs:*,oss:*,log:*. Click Next.
  
  Note The name and expected value of the input parameter must match the values of the rule_parameters and input_actions parameters specified in Stpe 4.
8. In the Modify step, click Next.
9. In the Preview and Save step, check the configurations and click Submit.
View the compliance evaluation result of RAM user Alice.
1. Click View Details.
2. Click the Result tab.
3. In the Compliance Result of Related Resources section of the Result tab, click the ID of the RAM user to view the compliance evaluation result.
Specify an MNS topic to which resource non-compliance events are delivered.
Specify the MNSTestConfig MNS topic to which resource non-compliance events are delivered. After the configuration is complete, MNS sends notifications to you when resource non-compliance events occur. For more information, see Send notifications of resource events to an MNS topic.