Checks whether the period between the time when each RAM user last used an AccessKey pair and the current time is shorter than a specified period.
Scenario
We recommend that you delete the AccessKey pairs that are not used by RAM users within a specified period to reduce the risk of disclosing the AccessKey pairs.
Risk level
Default risk level: low.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If the period between the time when each RAM user last used an AccessKey pair and the current time is shorter than the specified period, the evaluation result is compliant.
- If the period between the time when each RAM user last used an AccessKey pair and the current time is longer than or equal to the specified period, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
| Rule name | ram-user-ak-used-expired-check |
| Rule ID | ram-user-ak-used-expired-check |
| Tag | RAM and AK |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Time interval | 24 hours |
| Supported resource type | RAM user |
| Input parameter | days. Default value: 90. |
Non-compliance remediation
Delete the AccessKey pair that is not used by the RAM user within the specified period. For more information, see Delete an AccessKey pair of a RAM user.