Checks whether a policy is attached to one or more RAM user groups, RAM roles, or RAM users.
Scenario
You can use this rule to find policies that are not attached to RAM user groups, RAM roles, or RAM users. This prevents the situation in which a RAM user is granted excessive permissions and performs malicious operations.
Risk level
Default risk level: low.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If a policy is attached to one or more RAM user groups, RAM roles, or RAM users, the evaluation result is compliant.
- If a policy is not attached to a RAM user group, RAM role, or RAM user, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-policy-in-use-check |
| Rule ID | ram-policy-in-use-check |
| Tag | RAM and Policy |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Time interval | 24 hours |
| Supported resource type | Policy |
| Input parameter | None |
Non-compliance remediation
- Attach the policy to a RAM user group.
For more information, see Grant permissions to a RAM user group.
- Attach the policy to a RAM role.
For more information, see Grant permissions to a RAM role.
- Attach the policy to a RAM user.
For more information, see Grant permissions to a RAM user.