Checks whether a policy that meets the specified conditions is attached to each Resource Access Management (RAM) role. A RAM role with no matching policy attached is evaluated as Incompliant.
Scenarios
Use this rule to enforce that RAM roles carry the policies your organization requires. It detects roles with missing or excessive permissions before they become a security risk.
Risk level
Default risk level: medium.
You can change the risk level when you configure this rule to meet your business requirements.
Compliance evaluation logic
If a policy that meets the specified conditions is attached to a RAM role, the evaluation result is Compliant.
If no matching policy is attached to a RAM role, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
| Rule name | ram-role-has-specified-policy |
| Rule identifier | ram-role-has-specified-policy |
| Tag | RAM, Role, and Policy |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | RAM roles |
| Input parameter |
|
Incompliance remediation
Attach a policy that meets the specified conditions to the incompliant RAM role. For more information, see Modify a custom policy.