The AccessKey and permission administration compliance package checks the configuration and use of AccessKeys, Alibaba Cloud accounts, and Resource Access Management (RAM) users. The following table lists the default rules in this compliance package.
|
Rule name |
Rule description |
|
An AccessKey for a RAM user is considered compliant if its age does not exceed a specified number of days. Default value: 90 days. |
|
|
An AccessKey for a RAM user is considered compliant if the number of days since its last use is less than the value specified in the parameters. Default value: 90 days. |
|
|
A RAM user is considered compliant if they do not have both console access and API call access enabled. |
|
|
A RAM user is considered compliant if they have logged on within the last 90 days. If the last logon time is empty, the user is compliant if their profile was updated within the last 90 days. This rule does not apply to users who do not have console access. |
|
|
A RAM user is considered compliant if they have fewer than two active AccessKeys older than a specified number of days. We recommend that a RAM user have only one active AccessKey. However, you can temporarily have two active AccessKeys during key rotation. |
|
|
A password policy for RAM users is considered compliant if all its settings match the values specified in the parameters. |
|
|
The account is considered compliant if no RAM user, RAM user group, or RAM role has a permission policy where `Resource` is |
|
|
The Alibaba Cloud account is considered compliant if multi-factor authentication (MFA) is enabled. |
|
|
An ACK cluster is considered compliant if the RRSA feature is enabled. The RRSA feature provides pod-level OpenAPI permission isolation within a cluster. This enables fine-grained permission isolation for cloud resource access and reduces security risks. |
|
|
An ECS instance is considered compliant if it has an instance RAM role attached. |
|
|
A Function Compute service is considered compliant if a service role is configured. This prevents security risks that can arise from exposing an Alibaba Cloud account AccessKey. |