ram-user-invalid-ak-check

更新时间:
复制 MD 格式

Checks whether disabled AccessKey pairs are deleted for RAM users. If a disabled AccessKey pair exists, the evaluation result is non-compliant.

Scenario

Disabled AccessKey pairs should be deleted promptly to prevent accidental re-enablement or disclosure due to insufficient key management.

Risk level

Default risk level: low.

You can change the risk level when you apply this rule.

Compliance evaluation logic

  • If no disabled AccessKey pairs exist for a RAM user, the evaluation result is compliant.
  • If a disabled AccessKey pair exists for a RAM user, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.

Rule details

Item Description
Rule name ram-user-invalid-ak-check
Rule ID ram-user-invalid-ak-check
Tag RAM and AK
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type RAM user
Input parameter None

Non-compliance remediation

Delete the disabled AccessKey pair for the RAM user. For more information, see Delete a RAM user's AccessKey.