All Products
Search
Document Center

Cloud Config:ram-role-has-specified-policy

Last Updated:Jun 10, 2026

Checks whether a policy that meets the specified conditions is attached to each Resource Access Management (RAM) role. A RAM role with no matching policy attached is evaluated as Incompliant.

Scenarios

Use this rule to enforce that RAM roles carry the policies your organization requires. It detects roles with missing or excessive permissions before they become a security risk.

Risk level

Default risk level: medium.

You can change the risk level when you configure this rule to meet your business requirements.

Compliance evaluation logic

  • If a policy that meets the specified conditions is attached to a RAM role, the evaluation result is Compliant.

  • If no matching policy is attached to a RAM role, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.

Rule details

Item Description
Rule name ram-role-has-specified-policy
Rule identifier ram-role-has-specified-policy
Tag RAM, Role, and Policy
Automatic remediation Not supported
Trigger type Periodic execution
Evaluation frequency Interval of 24 hours
Supported resource type RAM roles
Input parameter
  • action
  • effect. Default value: Allow.
  • resource

Incompliance remediation

Attach a policy that meets the specified conditions to the incompliant RAM role. For more information, see Modify a custom policy.