Check that RAM users do not have both console access and API call access enabled - Cloud Config

A Resource Access Management (RAM) user is considered compliant if they do not have both console access and API call access enabled.

Risk level

Default risk level: Low.

You can change the risk level as needed.

Detection logic

A RAM user is considered compliant if they do not have both console access and API call access enabled. A user is compliant if one of two conditions is met. The first condition relates to console access, which includes single sign-on (SSO) and console logon. If SSO is enabled, the user is compliant if their last logon was more than seven days ago. If SSO is not enabled, the user is compliant if console access is disabled. The second condition relates to API call access. The user is compliant if they have no AccessKeys.

Rule details

Parameter	Description
Rule name	Check that a RAM user does not have both a human identity and a program identity
Rule identifier	ram-user-login-check-v2
Automatic remediation	Not supported
Rule trigger	Configuration changes
Supported resource types	ACS::RAM::User
Input parameters	None

Remediation

For remediation steps, see Log on to the Alibaba Cloud Management Console as a RAM user.