aws_iam_user Resource
Use the aws_iam_user
InSpec audit resource to test properties of a single AWS IAM User.
For additional information, including details on parameters and properties, see the AWS documentation on IAM Users.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
An aws_iam_user
resource block declares the tests for a single AWS IAM User by user name.
describe aws_iam_user(user_name: 'psmith') do
it { should exist }
end
Parameters
user_name
(required)-
This resource accepts a single parameter, the User’s username which uniquely identifies the User. This can be passed either as a string or as a
user_name: 'value'
key-value entry in a hash.
Properties
username
- The user’s username.
user_id
- The user’s ID.
user_arn
- The Amazon Resource Name of the user.
access_keys
- An array of hashes each containing metadata about the user’s Access Keys.
inline_policy_names
- The names of policies directly attached to the user.
attached_policy_names
- The name of standalone IAM policies which are attached to the user.
attached_policy_arns
- The arns of the standalone IAM policies which are attached to the user.
- has_mfa_enabled
- has_console_password
Examples
The following examples show how to use this InSpec audit resource.
Test that an IAM user does not exist.
describe aws_iam_user(user_name: 'invalid-user') do
it { should_not exist }
end
Test that an IAM user has MFA enabled.
describe aws_iam_user('psmith') do
it { should exist }
it { should have_mfa_enabled }
end
Ensure a User has no Access Keys or Inline Policies.
describe aws_iam_user('psmith') do
it { should exist }
its('access_keys') { should be_empty }
its('inline_policy_names') { should be_empty }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
it { should exist }
has_mfa_enabled
This will check if the requested User has Multi Factor Authentication enabled.
it { should have_mfa_enabled }
has_console_password
This will ensure the User has a console password set.
it { should have_console_password }
AWS Permissions
Your Principal will need the following permissions action set to allow:
IAM:Client:GetUserResponse
IAM:Client:GetLoginProfileResponse
IAM:Client:ListMFADevicesResponse
IAM:Client:ListAccessKeysResponse
IAM:Client:ListUserPoliciesResponse
IAM:Client:ListAttachedUserPoliciesResponse
Was this page helpful?