turbot/alicloud_compliance

Control: 1.5 Ensure users not logged on for 90 days or longer are disabled for console logon

Description

Alibaba Cloud RAM users can logon to Alibaba Cloud console by using their user name and password. If a user has not logged on for 90 days or longer, it is recommended to disable the console access of the user.

Remediation

Perform the following to disable console logon for a user:

From Console

  1. Logon to RAM console.
  2. Choose Identities > Users.
  3. In the User Logon Name/Display Name column, click the username of the target RAM user.
  4. In the Console Logon Management section, click Modify Logon Settings.
  5. In the Console Password Logon section, select Disabled.
  6. Click OK.

From Command Line

aliyun ram DeleteLoginProfile --UserName <ram_user>

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_1_5 --share

SQL

This control uses a named query:

ram_user_unused_90

Tags