Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
1Dashboards
78Benchmarks
40Queries
2Variables
GitHub

Control: 1.5 Ensure users not logged on for 90 days or longer are disabled for console logon

Description

Alibaba Cloud RAM users can logon to Alibaba Cloud console by using their user name and password. If a user has not logged on for 90 days or longer, it is recommended to disable the console access of the user.

Remediation

Perform the following to disable console logon for a user:

From Console

  1. Logon to RAM console.
  2. Choose Identities > Users.
  3. In the User Logon Name/Display Name column, click the username of the target RAM user.
  4. In the Console Logon Management section, click Modify Logon Settings.
  5. In the Console Password Logon section, select Disabled.
  6. Click OK.

From Command Line

aliyun ram DeleteLoginProfile --UserName <ram_user>

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_1_5 --share

SQL

This control uses a named query:

select
  'acs:ram::' || account_id || ':user/' || name as resource,
  case
    when last_login_date < current_date - interval '90 days' or last_login_date is null then 'alarm'
    else 'ok'
  end as status,
  case
    when last_login_date is null then name || ' never logged in.'
    else name || ' logged in '|| extract(day from current_date - last_login_date) || ' days ago.'
  end as reason
  , account_id as account_id
from
  alicloud_ram_user;

Tags

category = Compliance
cis = true
cis_item_id = 1.5
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/RAM