Evaluates whether RAM roles have system-level or service-level administrator permissions. Roles without such permissions are considered compliant.
Scenarios
Use this rule to enforce the principle of least privilege (PoLP) for RAM roles and reduce security risks from excessive permissions.
Risk level
Default risk level: medium.
You can change the risk level when you apply this rule.
Compliance evaluation logic
- If a RAM role does not have system-level or service-level administrator permissions, the evaluation result is Compliant.
- If a RAM role has system-level or service-level administrator permissions, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
| Rule name | ram-role-no-product-admin-access |
| Rule identifier | ram-role-no-product-admin-access |
| Tag | RAM and Role |
| Automatic remediation | Not supported |
| Trigger type | Configuration change and periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | RAM role |
| Input parameter | None. |
Incompliance remediation
Modify a custom policy. For more information, see Modify a custom policy.