Checks whether each Resource Access Management (RAM) user is in the Activated state and has less than two AccessKey pairs that have been created for more than the specified number of days. If so, the evaluation result is Compliant. We recommend that each RAM user has one valid AccessKey pair in most cases and has two valid AccessKey pairs during rotation.
Scenarios
We recommend that you regularly clear and rotate the AccessKey pairs of RAM users to reduce the risk of AccessKey pair leakage.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
If each RAM user is in the Activated state and has less than two AccessKey pairs that have been created for more than the specified number of days, the evaluation result is Compliant.
If a RAM user is not in the Activated state or has two or more AccessKey pairs that have been created for more than the specified number of days, the evaluation result is Non-compliant.
Rule details
Item | Description |
Rule name | ram-user-activated-ak-quantity-check |
Rule ID | |
Tag | AK |
Automatic remediation | Not supported |
Trigger type | Configuration change |
Supported resource type | RAM user |
Input parameter | days. Default value: 30 |
Non-compliance remediation
Ensure that each RAM user is in the Activated state and has less than two AccessKey pairs. For more information, see Disable an AccessKey pair of a RAM user.