Ensure RAM User has no attached policies

Risk Level: Medium (should be achieved)

Rule ID: AlibabaCloud-RAM-008

Ensure that Resource Access Management (RAM) policies be applied directly to groups but not users in order to manage more efficiently user-based access to your Alibaba Cloud resources and follow the Principle of Least Privilege (POLP).

Security

Assigning privileges only through RAM groups unifies permissions management to a single, flexible layer, consistent with organizational functional roles, therefore instead of defining permissions for individual RAM users, it is recommended to create RAM groups that relate to job functions (administrators, developers, testers, etc.) and add users to these groups as needed (or switch users between groups as they receive different roles in your organization). All the users within an group inherit the permissions assigned to the user group. In this way, you can make changes for everyone within a user group in just one place. By unifying permissions management, the likelihood of excessive permissions is greatly reduced.

Audit

To determine if your RAM users receive permissions through RAM groups only, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Users.

04 Click on the name (link) of the RAM user that you want to examine, listed in the User Logon Name/Display Name column.

05 Select the Permissions tab to view all the access policies attached to the selected RAM user.

06 Select the Individual tab to identify any policies attached directly to the RAM user. If one or more access policies are attached directly to the user, the selected Resource Access Management (RAM) user does not receive access permissions through RAM groups only.

07 Repeat steps no. 4 – 6 for each RAM user available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ListUsers command (OSX/Linux/UNIX) with custom output filters to list the name of each RAM user available within your Alibaba Cloud account:

aliyun ram ListUsers
  --output cols=UserName

02 The command output should return a list with the requested RAM user identifiers:

UserName
--------
tm-project-admin
tm-project-developer

03 Run ListPoliciesForUser command (OSX/Linux/UNIX) with the name of the Resource Access Management (RAM) user that you want to examine as the identifier parameter, to determine if there are any access policies assigned directly to the RAM user:

aliyun ram ListPoliciesForUser
  --UserName tm-project-admin

04 The command output should return the list of policies attached directly to the user:

{
	"Policies": {
		"Policy": [
			{
				"PolicyType": "System",
				"AttachDate": "2024-01-23T10:35:10Z",
				"DefaultVersion": "v2",
				"PolicyName": "AliyunECSFullAccess"
			},
			{
				"PolicyType": "System",
				"AttachDate": "2024-01-23T10:35:11Z",
				"DefaultVersion": "v5",
				"PolicyName": "AliyunRDSFullAccess"
			}
		]
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

If the ListPoliciesForUser command output returns one or more access policies within the "Policy" array, as shown in the example above, there are policies directly attached to the user, therefore the selected Resource Access Management (RAM) user does not receive access permissions through RAM groups only.

05 Repeat steps no. 3 and 4 for each RAM user available within your Alibaba Cloud account.

Remediation / Resolution

To change the permissions configuration for your RAM users in order to receive access permissions through RAM groups only, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 Create the necessary user group and add the group members. In the left avigation panel, under Identities, choose Groups.

04 Choose Create User Group, specify a Group Name, a Display Name, and enter a short description in the Note box. Choose OK to create your new RAM group.

05 Click on the name (link) of the newly created RAM group, and perform the following actions:

Select the Permissions tab, choose Grant Permission, and select the permissions policies required to provide access to the group members. Follow the Principle of Least Privilege (POLP) and give the group members the minimal amount of access required to perform their tasks. You can configure permissions that relate to job functions such as administrators, developers, and testers, and add users to the group as needed. All the RAM users added to this group (i.e. group members) will inherit the permissions assigned to the group at this step. Choose OK to apply the necessary permissions and select Complete to finish the setup process.
Select the Group Members tab, choose Add Group Members, and select the RAM user(s) that you want to add to your new group. Choose OK to save the changes and select Done to return to the RAM console.

06 Remove the direct association between the RAM user and the access policies. In the left avigation panel, under Identities, choose Users.

07 Click on the name (link) of the RAM user that you want to configure, listed in the User Logon Name/Display Name column.

08 Select the Permissions tab, choose the Individual tab, select all the access policies associated with the user, and choose Revoke Permission to detach all policies from the selected user. Choose Revoke Permission for confirmation.

09 Repeat steps no. 3 – 8 for each RAM user that you want to configure, available within your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run CreateGroup command (OSX/Linux/UNIX) to create a new Resource Access Management (RAM) group for your users:

aliyun ram CreateGroup
  --GroupName tm-project-admins

02 The command output should return the RAM group configuration information:

{
	"Group": {
		"GroupName": "tm-project-admins",
		"Comments": "",
		"CreateDate": "2024-01-23T11:35:02Z",
		"GroupId": "g-ABCD1234ABCD1234"
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Run AttachPolicyToGroup command (OSX/Linux/UNIX) to attach the permissions policies required to provide access to the group members. Follow the Principle of Least Privilege (POLP) and give the group members the minimal amount of access required to perform their tasks. You can configure permissions that relate to job functions such as administrators, developers, and accounting, and add users to the group as needed. All the group members will inherit the permissions assigned to the RAM group at this step. Run the AttachPolicyToGroup command for each access policy that you want to attach to your user group:

aliyun ram AttachPolicyToGroup
  --GroupName tm-project-admins
  --PolicyName AliyunECSFullAccess
  --PolicyType System

04 The command output should return the ID of the request:

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

05 Run AddUserToGroup command (OSX/Linux/UNIX) to add the specified RAM user to your new user group. The user will automatically inherit the RAM group policies:

aliyun ram AddUserToGroup
  --GroupName tm-project-admins
  --UserName tm-project-admin

06 If successful, the command output should return the ID of the request:

{"RequestId":"1234ABCD-1234-ABCD-1234-ABCD1234ABCD"}

07 Run DetachPolicyFromUser command (OSX/Linux/UNIX) to remove the association between the specified RAM user and the access policies attached directly to the user:

aliyun ram DetachPolicyFromUser
  --PolicyName AliyunECSFullAccess
  --PolicyType System
  --UserName tm-project-admin

08 The command output should return the ID of the request:

{"RequestId":"12341234-ABCD-1234-ABCD-ABCD1234ABCD"}

09 Repeat steps no. 1 – 8 for each Resource Access Management (RAM) user that you want to protect using Multi-Factor Authentication (MFA).

References

Publication date Feb 23, 2024

Audit

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

Remediation / Resolution

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

References

Related AlibabaCloud-RAM rules