Alibaba CloudOverview
Description
Alibaba Cloud RAM users can logon to Alibaba Cloud console by using their user name and password. If a user has not logged on for 90 days or longer, it is recommended to disable the console access of the user.
Rationale
Disabling users from having unnecessary logon privileges will reduce the opportunity that an abandoned user or a user with compromised password to be used.
Impact
RAM users who still need to log on to the management console or other Alibaba Cloud sites may encounter logon failure.
Remediation guidance
Perform the following to disable console logon for a user:
Via the management console
- Login to the
RAM Console - Under
Identities, chooseUsers - In the
User Logon Name/Display Namecolumn, click the username of the target RAM user - In the
Console Logon Managementsection, clickModify Logon Settings - In the
Console Password Logonsection, selectDisabled - Click
OK
Via CLI
aliyun ram DeleteLoginProfile --UserName
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Alibaba Cloud
Use Resource Directory guardrails, account baselines, and IaC modules so the secure setting is applied consistently across environments.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Users not logged on for 90 days or longer are disabled for console logon
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM5 {...AssetFragment}
