Evaluating Resource Compliance

Scenario

You can create a rule to evaluate your resource compliance. When creating a rule, you need to select a built-in policy or a custom policy, specify a monitoring scope, and specify the trigger. After the evaluation, you can check the evaluation results.

This section uses the built-in policy for IAM user last login check as an example to describe how to detect inactive IAM users. This policy can help reduce idle users and password leakage risks for enhanced account security.

Step 1: Add a Rule

The following steps are only for reference. For details about all the parameters, see section "Adding a Rule Based on a Built-in Policy" in the Config User Guide.

Log in to the management console.
Click in the upper left corner of the page. In the service list that is displayed, under Management & Deployment, select Config.
In the navigation pane on the left, choose Resource Compliance.
On the Rules tab, click Add Rule.
On the Basic Configurations page, select the built-in policy iam-user-last-login-check and click Next.

On the Configure Rule Parameters page, configure required parameters based on the following picture and click Next.

Parameter	Example	Description
Execute Every	24 hours	How often a rule will be triggered. The rule will be periodically triggered at the configured frequency. Available options: 1 hour, 3 hours, 6 hours, 12 hours, 24 hours.
Resource Scope	All	The region where your resources are deployed. Only resources in the specified region will be evaluated.
Configure Rule Parameters	90	Number of days during which an IAM user has not logged in the system. The default value is 90. If an IAM user does not log in to the system within the specified period of time, this user is noncompliant.

Parameter

Example

Description

Execute Every

24 hours

How often a rule will be triggered.

The rule will be periodically triggered at the configured frequency.

Available options: 1 hour, 3 hours, 6 hours, 12 hours, 24 hours.

Resource Scope

All

The region where your resources are deployed.

Only resources in the specified region will be evaluated.

Configure Rule Parameters

Number of days during which an IAM user has not logged in the system. The default value is 90.

If an IAM user does not log in to the system within the specified period of time, this user is noncompliant.

On the Confirm page, confirm the rule information and click Submit.

After you add a rule, the first evaluation is automatically triggered immediately.

Step 2: View evaluation results.

On the Rules tab of the Resource Compliance page, click the name of the rule that was added in Step 1.
View evaluation results and rule details on the Basic Information tab.

By default, noncompliant resources are displayed. Above the list, you can filter the resources by evaluation result, resource name, and resource ID. You can also export all evaluation results.

IAM users who do not log in to the management console within 90 days are listed as noncompliant users. You can make adjustments on these users as needed.