Checks whether all disabled AccessKey pairs are deleted for each RAM user.
Scenario
A disabled AccessKey pair must be deleted at the earliest opportunity to prevent the AccessKey pair from being disclosed. The lack of management on AccessKey pairs that are enabled by accidental operations may cause AccessKey pair leaks.
Risk level
Default risk level: low.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If all disabled AccessKey pairs are deleted for each RAM user, the evaluation result is compliant.
- If a disabled AccessKey pair exists but the AccessKey pair is not deleted for a RAM user, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
| Rule name | ram-user-invalid-ak-check |
| Rule ID | ram-user-invalid-ak-check |
| Tag | RAM and AK |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | RAM user |
| Input parameter | None |
Non-compliance remediation
Delete the disabled AccessKey pair for the RAM user. For more information, see Delete an AccessKey pair of a RAM user.