Checks whether a RAM user logs on to the Alibaba Cloud Management Console at least once in the last 90 days.
Scenario
You can use this rule to find inactive users at the earliest opportunity. This reduces the risk of password disclosure of the inactive user and improves account security.
Risk level
Default risk level: medium.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If a RAM user logs on to the Alibaba Cloud Management Console at least once in the
last 90 days, the evaluation result is compliant.
Note If no logon record exists for a RAM user, the system checks the update time of the RAM user. If the last update time is not more than 90 days before now, the evaluation result is compliant.
- If a RAM user has not logged on to the Alibaba Cloud Management Console in the last 90 days, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-user-last-login-expired-check |
| Rule ID | ram-user-last-login-expired-check |
| Tag | RAM and User |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Time interval | 24 hours |
| Supported resource type | RAM user |
| Input parameter | days. Default value: 90.
|
Non-compliance remediation
- Log on to the Alibaba Cloud Management Console as the RAM user.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
- Delete the inactive RAM user.
For more information, see Delete a RAM user.