All Products
Search
Document Center

Cloud Config:ram-role-no-product-admin-access

Last Updated:Jun 16, 2026

Evaluates whether RAM roles have system-level or service-level administrator permissions. Roles without such permissions are considered compliant.

Scenarios

Use this rule to enforce the principle of least privilege (PoLP) for RAM roles and reduce security risks from excessive permissions.

Risk level

Default risk level: medium.

You can change the risk level when you apply this rule.

Compliance evaluation logic

  • If a RAM role does not have system-level or service-level administrator permissions, the evaluation result is Compliant.
  • If a RAM role has system-level or service-level administrator permissions, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.

Rule details

Item Description
Rule name ram-role-no-product-admin-access
Rule identifier ram-role-no-product-admin-access
Tag RAM and Role
Automatic remediation Not supported
Trigger type Configuration change and periodic execution
Evaluation frequency Interval of 24 hours
Supported resource type RAM role
Input parameter None.

Incompliance remediation

Modify a custom policy. For more information, see Modify a custom policy.