Checks whether the Resource Access Management (RAM) role has the administrator permissions or the administrator permissions of a cloud service. If not, the evaluation result is Compliant.
Scenarios
This rule applies when you need to grant permissions to each RAM user based on the principle of least privilege (PoLP). This prevents security risks that may occur due to excessive permissions.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
If the RAM role does not have the administrator permissions or the administrator permissions of a cloud service, the evaluation result is Compliant.
If the RAM role has the administrator permissions and the administrator permissions of a cloud service, the evaluation result is Non-compliant.
If the RAM role is a system role or a service-linked role, the evaluation result is Not Applicable.
Rule details
Item | Description |
Rule name | ram-user-role-no-product-admin-access |
Rule ID | |
Tag | RAM and Role |
Automatic remediation | Not supported |
Trigger type | Periodic execution |
Evaluation frequency | Every 24 hours |
Supported resource type | RAM role |
Input parameter | None |
Non-compliance remediation
Ensure that the RAM role does not have the administrator permissions or the administrator permissions of a cloud service. For more information, see Modify the document and description of a custom policy.