Checks whether each Resource Access Management (RAM) role has the administrator permissions on the system or the administrator permissions on an Alibaba Cloud service. If not, the evaluation result is Compliant.
Scenarios
This rule applies when you need to grant permissions to each RAM user based on the principle of least privilege (PoLP). This prevents security risks that may occur due to excessive permissions.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If each RAM role does not have the administrator permissions on the system or the administrator permissions on an Alibaba Cloud service, the evaluation result is Compliant.
- If a RAM role has the administrator permissions on the system or the administrator permissions on an Alibaba Cloud service, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-role-no-product-admin-access |
| Rule identifier | ram-role-no-product-admin-access |
| Tag | RAM and Role |
| Automatic remediation | Not supported |
| Trigger type | Configuration change and periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | RAM role |
| Input parameter | None. |
Incompliance remediation
Modify a custom policy For more information, see Modify the document and description of a custom policy.