For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-alicloud-ram-security-preference-not-enforce-mfa.md.
A documentation index is available at /llms.txt.
alicloud_ram_security_preference must be defined and configured to enforce MFA login for alicloud_ram_user accounts.
The rule detects when the alicloud_ram_security_preference resource is missing, when enforce_mfa_for_login is not defined, or when enforce_mfa_for_login is set to false.
When any of these conditions occur, the policy reports the affected resource and suggests setting enforce_mfa_for_login = true.
Compliant Code Examples
# Create a new RAM user.
resource"alicloud_ram_user""user0"{name="user_test"display_name="user_display_name"mobile="86-18688888888"email="hello.uuu@aaa.com"comments="yoyoyo"force=true}resource"alicloud_ram_security_preference""example0"{enable_save_mfa_ticket=falseallow_user_to_change_password=trueenforce_mfa_for_login=true}
Non-Compliant Code Examples
# Create a new RAM user.
resource"alicloud_ram_user""user1"{name="user_test"display_name="user_display_name"mobile="86-18688888888"email="hello.uuu@aaa.com"comments="yoyoyo"force=true}resource"alicloud_ram_security_preference""example1"{enable_save_mfa_ticket=falseallow_user_to_change_password=true}
# Create a new RAM user.
resource"alicloud_ram_user""user2"{name="user_test"display_name="user_display_name"mobile="86-18688888888"email="hello.uuu@aaa.com"comments="yoyoyo"force=true}resource"alicloud_ram_security_preference""example2"{enable_save_mfa_ticket=falseallow_user_to_change_password=trueenforce_mfa_for_login=false}
# this file does not return any result because inside the test folder exists at least one resource "alicloud_ram_security_preference" in the samples
#resource "alicloud_ram_user" "user3" {
# name = "user_test"
# display_name = "user_display_name"
# mobile = "86-18688888888"
# email = "hello.uuu@aaa.com"
# comments = "yoyoyo"
# force = true
#}
1
2
rulesets:- Terraform / Alicloud # Rules to enforce / Alicloud.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
