You can enable multi-factor authentication (MFA) for a RAM user to enhance the logon security of the RAM user. The ram-risky-policy-user-mfa-check managed rule that Cloud Config provides can check whether MFA is enabled for all RAM users. To check whether MFA is enabled for a specified RAM user, such as a RAM user that is authorized to perform high-risk operations, you must use a custom rule.

Prerequisites

Configuration items

To create a custom rule in Cloud Config, you must set the required configuration items in the consoles of Cloud Config, MNS, RAM, and Function Compute, as described in the following table.
Cloud service Configuration item Example
Cloud Config Rule RAMUserMFA
Trigger type Configuration change and periodic execution
Time intervals 1 hour
Name of the input parameter dangerousActions
Expected value of the input parameter ecs:*,oss:*,log:*
MNS Topic MNSTestConfig
Region Singapore (Singapore)
Note

Cloud Config is deployed in the Singapore (Singapore) region. To reduce packet loss, we recommend that you specify Singapore (Singapore) as the region for the MNS topic.

RAM RAM user name Alice
RAM user ID 25849250231246****
Policy AliyunECSFullAccess
Function Compute Service Ram_User
Function RamDangerousPolicyUserBindMFA

Workflow

The following figure shows the procedure that you can follow to create a custom rule to check whether MFA is enabled for a specified RAM user. Workflow

Procedure

  1. Create a service.
    1. Log on to the Function Compute console.
    2. In the left-side navigation pane, click Services & Functions.
    3. In the top navigation bar, select a region, such as Singapore.
    4. On the Services page, click Create Service.
    5. In the Create Service panel, enter Ram_User in the Name field.
    6. Click OK.
  2. Create a function.
    1. On the details page of the Ram_User service, click Functions in the left-side navigation pane. Then, click Create Function.
    2. On the Create Function page, set the Function Name parameter to RamDangerousPolicyUserBindMFA, the Runtime Environments parameter to Python 3, and the Function Trigger Mode parameter to Event-triggered.
    3. Click Create.
  3. Set the environment variable of the function.
    1. On the details page of the RamDangerousPolicyUserBindMFA function, click the Configurations tab.
    2. In the Environment Variables section, click Modify.
    3. Click Add Variable and set the name and value for the environment variable.
      Key Value description Example
      AK The AccessKey ID of your Alibaba Cloud account. For more information about how to obtain an AccessKey ID, see Obtain an AccessKey pair. LTAI4G6JZSANb8MZMkm1****
      SK The AccessKey secret of your Alibaba Cloud account. For more information about how to obtain an AccessKey secret, see Obtain an AccessKey pair. EMLHThhpD2UJqH1DXuAKii2sI****
      ResourceTypes The type of the resource. ACS::RAM::User
    4. Click Save.
  4. Configure the function code that checks whether MFA is enabled for a specified RAM user.
    1. On the details page of the RamDangerousPolicyUserBindMFA function, click the Code tab. In the code editor, select the index.py file.
    2. Copy and paste the following code to the index.py file:
      The code checks whether MFA is enabled for a specified RAM user. The following table describes the main parameters in the code.
      Parameter Description Example
      AK The AccessKey ID of your Alibaba Cloud account. The value must be the same as the AccessKey ID specified in Step 3. LTAI4FgrMeKLB7NqDmPe****
      SK The AccessKey secret of your Alibaba Cloud account. The value must be the same as the AccessKey secret specified in Step 3. dylEiakiwLFB1CufDyxyCwlCxZ****
      user_name The name of the RAM user. N/A
      rule_parameters The input parameters of the rule. dangerousActions
      input_actions The high-risk operations that you want to manage. ecs:*,oss:*,log:*
      configuration_item The configuration of the resource. For more information, see What is the data structure of functions that can be used to create custom rules?
      Note The sample code is used to check whether MFA is enabled for a specified RAM user. For more information about other parameters that can be used to check RAM users, see What is the data structure of functions that can be used to create custom rules?
    3. In the code editor, click Deploy in the upper-right corner.
  5. Create a custom rule.
    1. Log on to the Cloud Config console.
    2. In the left-side navigation pane, click Rules.
    3. On the Rules page, click Create Rule.
    4. On the Create Rule page, click Create Custom Rule.
    5. In the Function ARN section of the Properties step, set the Region parameter to Singapore, the Service parameter to Ram_User, and the Function parameter to RamDangerousPolicyUserBindMFA. Enter RamUserMFA in the Rule Name field, select Configuration Change and Periodical Execution for the Trigger Type parameter, set the Frequency parameter to 1 Hour, and then click Next.
      Create Rule wizard
    6. In the Assess Resource Scope step, click Custom Resource Types, select RAM User as the resource type to be associated with the rule and then click Next.
      Assess Resource Scope step
    7. In the Parameters step, click Add Rule Parameter. Set the Key parameter to dangerousActions and the Expected Value parameter to ecs:*,oss:*,log:*. Then, click Next.
      Parameters step
      Note The name and expected value of the input parameter must match the values of rule_parameters and input_actions specified in Stpe 4.
    8. In the Modify step, click Next.
    9. In the Preview and Save step, check the configurations and click Submit.
  6. View the compliance evaluation result of RAM User Alice.
    1. Click View Details.
    2. Click the Result tab.
    3. In the Compliance Result of Related Resources section of the Result tab, click the ID of the RAM user to view the compliance evaluation result.
      View the compliance evaluation result
  7. Specify an MNS topic to which resource non-compliance events are delivered.
    Specify an MNS topic, such as MNSTestConfig, to which resource non-compliance events are delivered. After the configuration is complete, MNS sends notifications to you when resource non-compliance events occur. For more information, see Deliver resource data to an MNS topic.