
Control: 1.16 Ensure RAM policies are attached only to groups or roles


By default, RAM users, groups, and roles have no access to Alibaba Cloud resources. RAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that RAM policies be applied directly to groups and roles but not users.


Perform the following to create a RAM user group and assign a policy to it:

From Console

  1. Log on to RAM console.
  2. Choose Identities > Users.
  3. Click Create Group, and enter the group name, display name, and description.
  4. Click OK.
  5. In the Group Name/Display Name column, find the target RAM user group and click Add Permissions.
  6. In the Select Policy section, select the target policy or policies and click OK.

From Command Line

  1. Run the following command to create a RAM user group:
aliyun ram CreateGroup –GroupName <ram_user_group>
  1. Run the following command to attach a policy to the group:
aliyun ram AttachPolicyToGroup --GroupName <ram_user_group> --PolicyName <policy_name> --PolicyType <System|Custom>

Perform the following to add a user to a given group:

From Console

  1. Log on to RAM console.
  2. Choose Identities > Groups.
  3. In the Group Name/Display Name column, find the target RAM user group and click Add Group Members.
  4. In the User section, select the target RAM user and click OK.

From Command Line

Run the following command to add a RAM user to a user group:

aliyun ram AddUserToGroup --GroupName <ram_user_group> --UserName <ram_user>

Perform the following to remove a direct association between a user and policy:

From Console

  1. Logon to RAM console.
  2. Choose Permissions > Grants.
  3. In the Principal column, find the target RAM user and click Revoke Permission.
  4. Click OK.

From Command Line

Run the following command to remove a policy from a RAM user:

aliyun ram DetachPolicyFromUser --PolicyName <policy_name> --PolicyType <System|Custom> --UserName <ram_user>


Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_1_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_1_16 --share


This control uses a named query:

with user_attached_with_policy as (
distinct name as user_name,
jsonb_array_elements(attached_policy) as policies
attached_policy != '[]'
'acs:ram::' || account_id || ':user/' || name as resource,
when u.name = p.user_name then 'alarm'
else 'ok'
end as status,
when u.name = p.user_name then name || ' have direct policy attached.'
else name || ' not have any direct policy attached.'
end as reason
, account_id as account_id
alicloud_ram_user u
left join user_attached_with_policy p on u.name = p.user_name;
