All Products
Search
Document Center

Cloud Config:BestPracticesForIdentityAndPermissions

Last Updated:Sep 12, 2023

The BestPracticesForIdentityAndPermissions compliance package template checks the settings and usage of AccessKey pairs, Alibaba Cloud accounts, and RAM users. This topic describes the managed rules in the BestPracticesForIdentityAndPermissions compliance package template.

Rule name

Description

ram-user-ak-create-date-expired-check

Checks whether the time when the AccessKey pair of each RAM user was created is earlier than the specified number of days before the check time. If so, the evaluation result is Compliant. Default value: 90. Unit: days.

ram-user-ak-used-expired-check

Checks whether the time when the AccessKey pair of each RAM user was used is earlier than the specified number of days before the current day. If so, the evaluation result is Compliant. Default value: 90. Unit: days.

ram-user-login-check

Checks whether one of the console access and API access features is enabled for each RAM user. If so, the evaluation result is Compliant.

ram-user-last-login-expired-check

Checks whether each RAM user has logged on within the last 90 days. If so, the evaluation result is Compliant. Checks whether a RAM user has been updated within the last 90 days. If so, the evaluation result is Compliant regardless of whether the RAM user has recently logged on. For RAM users that have no console access, the evaluation result is Not Applicable.

ram-user-activated-ak-quantity-check

Checks whether each RAM user has less than two activated AccessKey pairs that have been created for more than the specified number of days. If so, the evaluation result is Compliant. We recommend that each RAM user own one valid AccessKey pair in most cases, and own two valid AccessKey pairs during rotation.

ram-password-policy-check

Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant.

ram-policy-no-statements-with-admin-access-check

Checks whether the Action parameter of RAM users, RAM user groups, and RAM roles is not set to *, which indicates the super administrator permissions. If so, the evaluation result is Compliant.

root-mfa-check

Checks whether multi-factor authentication (MFA) is enabled for the current Alibaba Cloud account. If so, the evaluation result is Compliant.

ack-cluster-rrsa-enabled

Checks whether the RRSA feature is enabled for each ACK cluster. If so, the evaluation result is Compliant. RRSA ensures pod-based API access isolation. This way, you can implement fine-grained isolation of access permissions on cloud resources and reduce security risks.

ecs-instance-ram-role-attached

Checks whether a RAM role is assigned to each ECS instance. If so, the evaluation result is Compliant.

fc-service-bind-role

Checks whether a service role is enabled for Function Compute. If so, the evaluation result is Compliant. This prevents security risks caused by the exposure of Alibaba Cloud account secrets.