Checks whether each RAM user has an active AccessKey pair. If not, the evaluation result is Compliant.
Scenarios
If a RAM user no longer needs to access Alibaba Cloud resources by calling API operations or by using other development tools, you can delete the AccessKey pair of the RAM user. This helps reduce the risk of AccessKey pair leaks and management costs.
Risk level
Default risk level: low.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If each RAM user does not have an active AccessKey pair, the evaluation result is Compliant.
- If a RAM user has an active AccessKey pair, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-user-active-ak-check |
| Rule identifier | ram-user-active-ak-check |
| Tag | RAM and AK |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | RAM user |
| Input parameter | None. |
Incompliance remediation
Disable or delete an AccessKey pair for a RAM user. For more information, see Disable an AccessKey pair of a RAM user or Delete an AccessKey pair of a RAM user.