Logo of Trend Micro

Disable Console Access for RAM Users Inactive for 90 days

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-RAM-002

Identify inactive Resource Access Management (RAM) users that are not designated for API access, and disable their access to Alibaba Cloud console as an additional security measure for protecting your cloud resources against unauthorized access. A RAM user is considered inactive when has not logged on for 90 days or longer.

Security

Disabling console access for your inactive Alibaba Cloud RAM users can reduce the risk of unauthorized access to your cloud services and resources, and help you manage the user-based access more efficiently.

Audit

To identify the RAM users that have not been logged on for 90 days or longer, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Users.

04 Click on the name (link) of the RAM user that you want to examine, listed in the User Logon Name/Display Name column.

05 Select the Authentication tab to access the authentication configuration information available for the selected RAM user.

06 In the Console Logon Management section, check the Console Access attribute value to determine if the selected user has access to the Management Console. If Console Access is set to Disabled, the user access to the console is disabled, therefore the selected RAM user is considered inactive. If Console Access is set to Enabled, check the Last Console Logon attribute value to identify the most recent login time for the specified user on the Alibaba Cloud Management Console. If Last Console Logon timestamp reveals that your RAM user's most recent login occurred 90 days ago or longer, the selected Resource Access Management (RAM) user is considered inactive.

07 Repeat steps no. 4 – 6 for each RAM user available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ListUsers command (OSX/Linux/UNIX) with custom output filters to list the name of each RAM user available within your Alibaba Cloud account: 

aliyun ram ListUsers 
  --output cols=UserName

02 The command output should return a list with the requested RAM user identifiers: 

UserName
--------
tm-project-admin
tm-project-developer

03 Run GetLoginProfile command (OSX/Linux/UNIX) with the name of the Resource Access Management (RAM) user that you want to examine as the identifier parameter, to describe the user login profile information available for the selected RAM user: 

aliyun ram GetLoginProfile
  --UserName tm-project-admin

04 The command output should return the requested login profile information: 

ERROR: SDK.ServerError
ErrorCode: EntityNotExist.User.LoginProfile
Recommend: https://api.aliyun.com/troubleshoot?q=EntityNotExist.User.LoginProfile&product=Ram&requestId=ABCD1234-ABCD-1234-ABCD-1234ABCD1234
RequestId: ABCD1234-ABCD-1234-ABCD-1234ABCD1234
Message: login policy not exists
RespHeaders: map[Access-Control-Allow-Origin:[*] Access-Control-Expose-Headers:[*] Connection:[keep-alive] Content-Length:[302] Content-Type:[application/json;charset=utf-8] Date:[Mon, 04 Mar 2024 09:30:00 GMT] Keep-Alive:[timeout=25] X-Acs-Request-Id:[ABCD1234-ABCD-1234-ABCD-1234ABCD1234]

If GetLoginProfile command throws the EntityNotExist.User.LoginProfile error, as shown in the output example above, there is no login profile configured for the selected user, therefore, your RAM user is considered inactive because it cannot access the Management Console. If the GetLoginProfile command output returns the "LoginProfile" object, check the "Status" attribute value to determine if the selected user has access to the Management Console. If "Status" is set to "Inactive", the user access to the console is disabled and your RAM user is considered inactive. If "Status" is set "Active" (i.e. console access is enabled), continue the Audit process with the next step.

05 Run GetUser command (OSX/Linux/UNIX) with the name of the RAM user that you want to examine as the identifier parameter, to describe the information available for the selected user: 

aliyun ram GetUser 
  --UserName tm-project-admin

06 The command output should return the requested user information: 

{
	"User": {
		"UpdateDate": "2024-01-07T16:53:21Z",
		"Email": "",
		"UserName": "tm-project-admin",
		"UserId": "1234567890123456",
		"Comments": "",
		"DisplayName": "",
		"LastLoginDate": "2024-01-07T16:53:21Z",
		"CreateDate": "2024-01-05T11:10:03Z"
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

Check the "LastLoginDate" attribute value to identify the most recent login time for the selected user on the Alibaba Cloud account console. If "LastLoginDate" timestamp reveals that your RAM user's most recent login occurred 90 days ago or longer, the selected Resource Access Management (RAM) user is considered inactive.

07 Repeat steps no. 3 - 6 for each RAM user available within your Alibaba Cloud account.

Remediation / Resolution

To disable console access for your inactive Resource Access Management (RAM) users, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left avigation panel, under Identities, choose Users.

04 Click on the name (link) of the inactive RAM user that you want to configure, listed in the User Logon Name/Display Name column.

05 Select the Authentication tab to access the authentication configuration information available for the selected user.

06 In the Console Logon Management section, choose Modify Logon Settings to change the user logon settings.

07 On the Modify Logon Settings configuration panel, set Console Password Logon to Disabled to disable console access for the selected Alibaba Cloud RAM user, and choose OK to apply the configuration changes.

08 To disable console access by deleting the user login profile, choose Remove Logon Settings and select OK for confirmation.

09 Repeat steps no. 4 – 8 to disable console logon for each inactive RAM user available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run DeleteLoginProfile command (OSX/Linux/UNIX) to disable console access for the selected Alibaba Cloud RAM user by removing the user login profile: 

aliyun ram DeleteLoginProfile 
  --UserName tm-project-admin

02 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Repeat steps no. 1 and 2 to disable console logon for each inactive RAM user available within your Alibaba Cloud account.

References

Publication date Feb 23, 2024

Related AlibabaCloud-RAM rules