Skip to main content

alicloud_ram_user_mfa Resource

Use the alicloud_ram_user_mfa InSpec audit resource to test properties of a single Alicloud RAM user’s MFA settings.


An alicloud_ram_user_mfa resource block declares the tests for a single Alicloud RAM user’s MFA settings by user name.

describe alicloud_ram_user_mfa(user_name: 'rpatel') do
  it { should exist }


user_name (required)

This resource accepts a single parameter, the RAM user’s username which uniquely identifies the user.
This can be passed either as a string or as a user_name: 'value' key-value entry in a hash.

See also the Alicloud documentation on RAM users.


The RAM user’s username.
The serial number of the RAM User’s MFA device.
The MFA type (VMFA: virtual NFA device, or U2F: Universal 2nd Factor security key).


The following example shows how to use this InSpec audit resource.

Test that a user has MFA configured.

describe alicloud_ram_user_mfa(user_name: 'jakobp') do
  it { should exist }
  its('serial_number') { should eq 'acs:ram::1234567890123456:mfa/jakobp' }
  its('type') { should eq 'VMFA' }


For a full list of available matchers, see our Universal Matchers page.


The control will pass if the describe returns at least one result.

it { should exist }

Use should_not to test the entity should not exist.

it { should_not exist }

Alicloud Permissions

Your Principal will need the ram:GetUserMFAInfo action with Effect set to Allow.

See the Alibaba Cloud Resource Access Management documentation. See the documentation on authentication to RAM APIs.

Edit this page on GitHub

Thank you for your feedback!


Search Results