ram-user-specified-permission-bound

更新时间:
复制 MD 格式

If the policies attached to a RAM user do not include specified high-risk permissions, the evaluation result is Compliant.

Scenarios

Use this rule to enforce the principle of least privilege (PoLP) for RAM users and prevent security risks caused by excessive permissions.

Risk level

Default risk level: medium.

You can change the risk level when you apply this rule.

Compliance evaluation logic

  • If the policies attached to a RAM user do not include specified high-risk permissions, the evaluation result is Compliant.
  • If the policies attached to a RAM user include specified high-risk permissions, the evaluation result is Incompliant. To fix this, see Incompliance remediation.

Rule details

Item Description
Rule name ram-user-specified-permission-bound
Rule identifier ram-user-specified-permission-bound
Tag RAM and User
Automatic remediation Not supported
Trigger Type Configuration change and periodic execution
Evaluation frequency Interval of 24 hours
Supported resource type If you use a RAM user, perform the following steps to obtain an O&M token:
Input parameter Action
Note Separate multiple values with commas (,).

Incompliance remediation

Revoke high-risk permissions from the RAM user. For more information, see Revoke permissions from a RAM user.