Checks whether a policy is directly attached to a RAM user.
Scenario
A RAM user should inherit permissions from a RAM user group or a RAM role rather than being directly granted the permissions. This allows you to change the permissions of a RAM user by changing the permissions of the RAM user group to which the RAM user belongs or the RAM role of the RAM user. This way, when a resignation occurs in your organization, you can better arrange permission handover and manage the permissions in a systematic way.
Risk level
Default risk level: low.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If a policy is not directly attached to a RAM user, the evaluation result is compliant.
- If a policy is directly attached to a RAM user, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
| Rule name | ram-user-no-policy-check |
| Rule ID | ram-user-no-policy-check |
| Tag | RAM and User |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Time interval | 24 hours |
| Supported resource type | RAM user |
| Input parameter | None |
Non-compliance remediation
Detach the policy from the RAM user . For more information, see Revoke permissions from a RAM user.