Best practices for AccessKey and permission administration

更新时间:
复制 MD 格式

The AccessKey and permission administration compliance package checks the configuration and use of AccessKeys, Alibaba Cloud accounts, and Resource Access Management (RAM) users. The following table lists the default rules in this compliance package.

Rule name

Rule description

Rotate AccessKeys for RAM users within a specified period

An AccessKey for a RAM user is considered compliant if its age does not exceed a specified number of days. Default value: 90 days.

RAM users do not have idle AccessKeys

An AccessKey for a RAM user is considered compliant if the number of days since its last use is less than the value specified in the parameters. Default value: 90 days.

Separate human and programmatic access for RAM users

A RAM user is considered compliant if they do not have both console access and API call access enabled.

RAM users log on within a specified period

A RAM user is considered compliant if they have logged on within the last 90 days. If the last logon time is empty, the user is compliant if their profile was updated within the last 90 days. This rule does not apply to users who do not have console access.

RAM users have no more than two active AccessKeys

A RAM user is considered compliant if they have fewer than two active AccessKeys older than a specified number of days. We recommend that a RAM user have only one active AccessKey. However, you can temporarily have two active AccessKeys during key rotation.

RAM user password policy meets requirements

A password policy for RAM users is considered compliant if all its settings match the values specified in the parameters.

No super administrators exist

The account is considered compliant if no RAM user, RAM user group, or RAM role has a permission policy where `Resource` is * and `Action` is *.

MFA is enabled for the Alibaba Cloud account

The Alibaba Cloud account is considered compliant if multi-factor authentication (MFA) is enabled.

RRSA feature is enabled for ACK clusters

An ACK cluster is considered compliant if the RRSA feature is enabled. The RRSA feature provides pod-level OpenAPI permission isolation within a cluster. This enables fine-grained permission isolation for cloud resource access and reduces security risks.

ECS instances have instance RAM roles attached

An ECS instance is considered compliant if it has an instance RAM role attached.

A service role is configured for Function Compute

A Function Compute service is considered compliant if a service role is configured. This prevents security risks that can arise from exposing an Alibaba Cloud account AccessKey.