Skip to main content

alicloud_ram_user_mfa Resource

[edit on GitHub]

Use the alicloud_ram_user_mfa InSpec audit resource to test properties of a single Alicloud RAM user’s MFA settings.


An alicloud_ram_user_mfa resource block declares the tests for a single Alicloud RAM user’s MFA settings by user name.

describe alicloud_ram_user_mfa(user_name: 'rpatel') do
  it { should exist }


user_name (required)

This resource accepts a single parameter, the RAM user’s username which uniquely identifies the user.
This can be passed either as a string or as a user_name: 'value' key-value entry in a hash.

See also the Alicloud documentation on RAM users.


The RAM user’s username.
The serial number of the RAM User’s MFA device.
The MFA type (VMFA: virtual NFA device, or U2F: Universal 2nd Factor security key).


The following example shows how to use this InSpec audit resource.

Test that a user has MFA configured.

describe alicloud_ram_user_mfa(user_name: 'jakobp') do
  it { should exist }
  its('serial_number') { should eq 'acs:ram::1234567890123456:mfa/jakobp' }
  its('type') { should eq 'VMFA' }


This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.


The control will pass if the describe returns at least one result.

it { should exist }

Use should_not to test the entity should not exist.

it { should_not exist }

Alicloud Permissions

Your Principal will need the ram:GetUserMFAInfo action with Effect set to Allow.

See the Alibaba Cloud Resource Access Management documentation.

See the documentation on authentication to RAM APIs.

Was this page helpful?


Search Results