Checks whether a policy that meets the specified conditions and includes the permissions that are inherited from a specified user group is attached to each RAM user. If not, the evaluation result is Compliant.
Scenarios
This rule applies when you need to grant specific permissions to a RAM user. This prevents security risks that may occur due to excessive permissions.
Risk level
Default risk level: medium.
When you configure this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If a policy that meets the specified conditions and includes the permissions that are inherited from a specified user group is not attached to each RAM user, the evaluation result is Compliant.
- If a policy that meets the specified conditions and includes the permissions that are inherited from a specified user group is attached to each RAM user, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-user-no-has-specified-policy |
| Rule identifier | ram-user-no-has-specified-policy |
| Tag | RAM and Policy |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | RAM users |
| Input parameter |
|
Incompliance remediation
Enable SSO for a RAM user. For more information, see Overview of user-based SSO.