Checks whether console access and API access are enabled for a RAM user at the same time.
Scenario
If console access and API access are enabled for a RAM user at the same time, security risks may be incurred. Console access and API access can be enabled for RAM users in different fields such as O&M and R&D. We recommend that you do not enable console access and API access for a RAM user at the same time. This way, you can isolate permissions of RAM users and adhere to the principle of least privilege.
Risk level
Default risk level: low.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If console access and API access are not enabled for a RAM user at the same time, the evaluation result is compliant.
- If console access and API access are enabled for a RAM user at the same time, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
Item | Description |
---|---|
Rule name | ram-user-login-check |
Rule ID | ram-user-login-check |
Tag | RAM and User |
Automatic remediation | Not supported |
Trigger type | Configuration change |
Supported resource type | RAM user |
Input parameter | None |
Non-compliance remediation
Enable only console access or API access for the RAM user. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user or Disable an AccessKey pair.