Checks whether multi-factor authentication (MFA) is enabled for each RAM user to whom you attached the specified policy.
Scenario
If you attach a high-risk policy to a RAM user, you must enable MFA for the RAM user. MFA enhances security for your account. If account theft occurs, MFA reduces the risk of malicious operations and business losses.
Risk level
Default risk level: low.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If MFA is enabled for each RAM user to whom you attached the specified policy, the evaluation result is compliant.
- If MFA is disabled for a RAM user to whom you attached the specified policy, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
Item | Description |
---|---|
Rule name | ram-risky-policy-user-mfa-check |
Rule ID | ram-risky-policy-user-mfa-check |
Tag | RAM and User |
Automatic remediation | Not supported |
Trigger type | Periodic execution |
Time interval | 24 hours |
Supported resource type | RAM user |
Input parameter | policyName |
Non-compliance remediation
Enable MFA for the RAM user to whom you attach the specified policy. For more information, see Enable an MFA device for a RAM user.