This topic describes the managed rules that are provided in the BestPracticesForAccountGovernance compliance package template.
| Rule name | Description |
|---|---|
| root-mfa-check | If multi-factor authentication (MFA) is enabled for each Alibaba Cloud account, the evaluation result is compliant. |
| ram-group-has-member-check | If each RAM user group contains one or more RAM users, the evaluation result is compliant. |
| root-ak-check | If no AccessKey pairs exist in each Alibaba Cloud account, the evaluation result is compliant. |
| ram-user-no-policy-check | If no policies are attached to each RAM user, the evaluation result is compliant. |
| ram-policy-no-statements-with-admin-access-check | If the Action parameter of each RAM user, RAM user group, and RAM role is not set
to *, the evaluation result is compliant. * indicates the super administrator permissions.
|
| ram-password-policy-check | If the settings of password policies created for each RAM user meet the specified values, the evaluation result is compliant. |
| ram-user-group-membership-check | If each RAM user belongs to a RAM user group, the evaluation result is compliant. |
| ram-risky-policy-user-mfa-check | If MFA is enabled for each RAM user to whom you attached the specified high-risk policy, the evaluation result is compliant. |
| ram-policy-in-use-check | If a policy is attached to one or more RAM user groups, RAM roles, or RAM users, the evaluation result is compliant. |
| ram-user-login-check | If both console logon and logon based on AccessKey pairs are disabled for a RAM user, the evaluation result is compliant. |
| ram-user-ak-create-date-expired-check | If the period between the time when the AccessKey pair of a RAM user is created and the time when the compliance evaluation starts is shorter than or equal to that specified by the input parameter, the evaluation result is compliant. |
| ram-user-last-login-expired-check | If each RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before the current time, the evaluation result is compliant. |