Checks whether each RAM user has the administrator permissions on the system, the administrator permissions on an Alibaba Cloud service, or the permissions inherited from a user group. If not, the evaluation result is Compliant.
Scenarios
This rule applies when you need to grant permissions to each RAM user based on the principle of least privilege (PoLP). This prevents security risks that may occur due to excessive permissions.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If each RAM user does not have the administrator permissions on the system, the administrator permissions on an Alibaba Cloud service, or the permissions inherited from a user group, the evaluation result is Compliant.
- If a RAM user has the administrator permissions on the system or the administrator permissions on an Alibaba Cloud service, the evaluation result is Incompliant. If the RAM user does not have the administrator permissions on the system or the administrator permissions on an Alibaba Cloud service, but has permissions inherited from a user group, the evaluation result is also Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-user-no-product-admin-access |
| Rule identifier | ram-user-no-product-admin-access |
| Tag | RAM and User |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | RAM user |
| Input parameter | None. |
Incompliance remediation
Modify a custom policy For more information, see Modify a custom policy.