Alibaba CloudOverview
Description
Alibaba Cloud RAM users can logon to Alibaba Cloud console by using their user name and password. If a user has not logged on for 90 days or longer, it is recommended to disable the console access of the user.
Rationale
Disabling users from having unnecessary logon privileges will reduce the opportunity that an abandoned user or a user with compromised password to be used.
Impact
RAM users who still need to log on to the management console or other Alibaba Cloud sites may encounter logon failure.
Remediation guidance
Perform the following to disable console logon for a user:
Via the management console
- Login to the
RAM Console - Under
Identities, chooseUsers - In the
User Logon Name/Display Namecolumn, click the username of the target RAM user - In the
Console Logon Managementsection, clickModify Logon Settings - In the
Console Password Logonsection, selectDisabled - Click
OK
Via CLI
aliyun ram DeleteLoginProfile --UserName
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Users not logged on for 90 days or longer are disabled for console logon
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM5 {...AssetFragment}
