Disable Console Access for RAM Users Inactive for 90 days

Sign in to your Alibaba Cloud account.

Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

In the left navigation panel, under Identities, choose Users.

Click on the name (link) of the RAM user that you want to examine, listed in the User Logon Name/Display Name column.

Select the Authentication tab to access the authentication configuration information available for the selected RAM user.

In the Console Logon Management section, check the Console Access attribute value to determine if the selected user has access to the Management Console. If Console Access is set to Disabled, the user access to the console is disabled, therefore the selected RAM user is considered inactive. If Console Access is set to Enabled, check the Last Console Logon attribute value to identify the most recent login time for the specified user on the Alibaba Cloud Management Console. If Last Console Logon timestamp reveals that your RAM user's most recent login occurred 90 days ago or longer, the selected Resource Access Management (RAM) user is considered inactive.

Repeat steps no. 4 – 6 for each RAM user available in your Alibaba Cloud account.

Run ListUsers command (OSX/Linux/UNIX) with custom output filters to list the name of each RAM user available within your Alibaba Cloud account:

aliyun ram ListUsers 
  --output cols=UserName

The command output should return a list with the requested RAM user identifiers:

UserName
--------
tm-project-admin
tm-project-developer

Run GetLoginProfile command (OSX/Linux/UNIX) with the name of the Resource Access Management (RAM) user that you want to examine as the identifier parameter, to describe the user login profile information available for the selected RAM user:

aliyun ram GetLoginProfile
  --UserName tm-project-admin

The command output should return the requested login profile information:

ERROR: SDK.ServerError
ErrorCode: EntityNotExist.User.LoginProfile
Recommend: https://api.aliyun.com/troubleshoot?q=EntityNotExist.User.LoginProfile&product=Ram&requestId=ABCD1234-ABCD-1234-ABCD-1234ABCD1234
RequestId: ABCD1234-ABCD-1234-ABCD-1234ABCD1234
Message: login policy not exists
RespHeaders: map[Access-Control-Allow-Origin:[*] Access-Control-Expose-Headers:[*] Connection:[keep-alive] Content-Length:[302] Content-Type:[application/json;charset=utf-8] Date:[Mon, 04 Mar 2024 09:30:00 GMT] Keep-Alive:[timeout=25] X-Acs-Request-Id:[ABCD1234-ABCD-1234-ABCD-1234ABCD1234]

If GetLoginProfile command throws the EntityNotExist.User.LoginProfile error, as shown in the output example above, there is no login profile configured for the selected user, therefore, your RAM user is considered inactive because it cannot access the Management Console. If the GetLoginProfile command output returns the "LoginProfile" object, check the "Status" attribute value to determine if the selected user has access to the Management Console. If "Status" is set to "Inactive", the user access to the console is disabled and your RAM user is considered inactive. If "Status" is set "Active" (i.e. console access is enabled), continue the Audit process with the next step.

Run GetUser command (OSX/Linux/UNIX) with the name of the RAM user that you want to examine as the identifier parameter, to describe the information available for the selected user:

aliyun ram GetUser 
  --UserName tm-project-admin

The command output should return the requested user information:

{
	"User": {
		"UpdateDate": "2024-01-07T16:53:21Z",
		"Email": "",
		"UserName": "tm-project-admin",
		"UserId": "1234567890123456",
		"Comments": "",
		"DisplayName": "",
		"LastLoginDate": "2024-01-07T16:53:21Z",
		"CreateDate": "2024-01-05T11:10:03Z"
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

Check the "LastLoginDate" attribute value to identify the most recent login time for the selected user on the Alibaba Cloud account console. If "LastLoginDate" timestamp reveals that your RAM user's most recent login occurred 90 days ago or longer, the selected Resource Access Management (RAM) user is considered inactive.

Repeat steps no. 3 - 6 for each RAM user available within your Alibaba Cloud account.

Sign in to your Alibaba Cloud account.

Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

In the left avigation panel, under Identities, choose Users.

Click on the name (link) of the inactive RAM user that you want to configure, listed in the User Logon Name/Display Name column.

Select the Authentication tab to access the authentication configuration information available for the selected user.

In the Console Logon Management section, choose Modify Logon Settings to change the user logon settings.

On the Modify Logon Settings configuration panel, set Console Password Logon to Disabled to disable console access for the selected Alibaba Cloud RAM user, and choose OK to apply the configuration changes.

To disable console access by deleting the user login profile, choose Remove Logon Settings and select OK for confirmation.

Repeat steps no. 4 – 8 to disable console logon for each inactive RAM user available in your Alibaba Cloud account.

Run DeleteLoginProfile command (OSX/Linux/UNIX) to disable console access for the selected Alibaba Cloud RAM user by removing the user login profile:

aliyun ram DeleteLoginProfile 
  --UserName tm-project-admin

If successful, the output should return the command request ID:

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

Repeat steps no. 1 and 2 to disable console logon for each inactive RAM user available within your Alibaba Cloud account.