This topic describes the managed rules that are provided in the BestPracticesForAccountGovernance compliance package template.

Rule name Description
root-mfa-check If multi-factor authentication (MFA) is enabled for each Alibaba Cloud account, the evaluation result is compliant.
ram-group-has-member-check If each RAM user group contains one or more RAM users, the evaluation result is compliant.
root-ak-check If no AccessKey pairs exist in each Alibaba Cloud account, the evaluation result is compliant.
ram-user-no-policy-check If no policies are attached to each RAM user, the evaluation result is compliant.
ram-policy-no-statements-with-admin-access-check If the Action parameter of each RAM user, RAM user group, and RAM role is not set to *, the evaluation result is compliant. * indicates the super administrator permissions.
ram-password-policy-check If the settings of password policies created for each RAM user meet the specified values, the evaluation result is compliant.
ram-user-group-membership-check If each RAM user belongs to a RAM user group, the evaluation result is compliant.
ram-risky-policy-user-mfa-check If MFA is enabled for each RAM user to whom you attached the specified high-risk policy, the evaluation result is compliant.
ram-policy-in-use-check If a policy is attached to one or more RAM user groups, RAM roles, or RAM users, the evaluation result is compliant.
ram-user-login-check If both console logon and logon based on AccessKey pairs are disabled for a RAM user, the evaluation result is compliant.
ram-user-ak-create-date-expired-check If the period between the time when the AccessKey pair of a RAM user is created and the time when the compliance evaluation starts is shorter than or equal to that specified by the input parameter, the evaluation result is compliant.
ram-user-last-login-expired-check If each RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before the current time, the evaluation result is compliant.