Evaluating Resource Compliance

Scenario

The resource compliance feature enables you to quickly create a set of rules for evaluating your resources against compliance requirements. When creating a rule, you need to select a built-in policy or a custom policy, specify a monitoring scope, and specify the trigger. After the evaluation, you can check the evaluation results.

This section uses the built-in policy for IAM user last login check as an example to describe how to detect inactive IAM users. This policy can help reduce idle users and password leakage risks for enhanced account security.

Step 1: Add a Rule

The following steps are only for reference. For details about all the parameters, see section "Adding a Rule Based on a Built-in Policy" in the Config User Guide.

Log in to the Config console.
In the navigation pane on the left, choose Resource Conformance.
On the Rules tab, click Add Rule.
On the Basic Configurations page, select the built-in policy Last Login Check and click Next.

On the Configure Rule Parameters page, configure required parameters as shown below and click Next.

Parameter	Example	Description
Execute Every	24 hours	Execution frequency of the evaluations for a rule. The system triggers evaluation periodically based on this setting. Available options: 1 hour, 3 hours, 6 hours, 12 hours, 24 hours.
Resource Scope	All	The region where your resources are deployed. Only resources in the specified region will be evaluated.
Configure Rule Parameters	90	Number of days during which an IAM user has not logged in the system. The default value is 90. If an IAM user does not log in to the system within the specified period of time, this user is non-compliant.

Parameter

Example

Description

Execute Every

24 hours

Execution frequency of the evaluations for a rule.

The system triggers evaluation periodically based on this setting.

Available options: 1 hour, 3 hours, 6 hours, 12 hours, 24 hours.

Resource Scope

All

The region where your resources are deployed.

Only resources in the specified region will be evaluated.

Configure Rule Parameters

Number of days during which an IAM user has not logged in the system. The default value is 90.

If an IAM user does not log in to the system within the specified period of time, this user is non-compliant.

On the Confirm page, verify the rule details and click Submit.

Once the rule is created, the system automatically triggers the first evaluation for the rule.

Step 2: View evaluation results.

On the Rules tab of the Resource Conformance page, click the name of the rule that was added in Step 1.
View evaluation results and rule details on the Basic Information tab.

By default, non-compliant resources are displayed. Use the filter box above the list to search for resources by evaluation result, resource name, or ID. You can also export all evaluation results.

IAM users who do not log in to the management console within 90 days are considered non-compliant. Take appropriate action on these inactive users based on the evaluation results.