Checks whether multi-factor authentication (MFA) is enabled for each RAM user.
Scenario
After you enable MFA for a RAM user, MFA is used for logons by the RAM user. This reduces losses caused by account theft.
Risk level
Default risk level: high.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If MFA is enabled for each RAM user, the evaluation result is compliant.
- If MFA is disabled for a RAM user, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-user-mfa-check |
| Rule ID | ram-user-mfa-check |
| Tag | RAM and User |
| Automatic remediation | Not supported |
| Trigger type | Configuration change and periodic execution |
| Time interval | 24 hours |
| Supported resource type | RAM user |
| Input parameter | None |
Non-compliance remediation
Enable MFA for the RAM user. For more information, see Enable an MFA device for a RAM user.