Skip to main content

aws_iam_user Resource

Use the aws_iam_user InSpec audit resource to test properties of a single AWS IAM User.

For additional information, including details on parameters and properties, see the AWS documentation on IAM Users.

Installation

This resource is available in the Chef InSpec AWS resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.

Syntax

An aws_iam_user resource block declares the tests for a single AWS IAM User by user name.

describe aws_iam_user(user_name: 'psmith') do
  it { should exist }
end

Parameters

user_name (required)

This resource accepts a single parameter, the User’s username which uniquely identifies the User. This can be passed either as a string or as a user_name: 'value' key-value entry in a hash.

Properties

username
The user’s username.
user_id
The user’s ID.
user_arn
The Amazon Resource Name of the user.
access_keys
An array of hashes each containing metadata about the user’s Access Keys.
inline_policy_names
The names of policies directly attached to the user.
attached_policy_names
The name of standalone IAM policies which are attached to the user.
attached_policy_arns
The arns of the standalone IAM policies which are attached to the user.
  • has_mfa_enabled
  • has_console_password

Examples

The following examples show how to use this InSpec audit resource.

Test that an IAM user does not exist.

describe aws_iam_user(user_name: 'invalid-user') do
  it { should_not exist }
end

Test that an IAM user has MFA enabled.

describe aws_iam_user('psmith') do
  it { should exist }
  it { should have_mfa_enabled }
end

Ensure a User has no Access Keys or Inline Policies.

describe aws_iam_user('psmith') do
  it                         { should exist }
  its('access_keys')         { should be_empty }
  its('inline_policy_names') { should be_empty }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

it { should exist }

has_mfa_enabled

This will check if the requested User has Multi Factor Authentication enabled.

it { should have_mfa_enabled }

has_console_password

This will ensure the User has a console password set.

it { should have_console_password }

AWS Permissions

Your Principal will need the following permissions action set to allow: IAM:Client:GetUserResponse IAM:Client:GetLoginProfileResponse IAM:Client:ListMFADevicesResponse IAM:Client:ListAccessKeysResponse IAM:Client:ListUserPoliciesResponse IAM:Client:ListAttachedUserPoliciesResponse

Edit this page on GitHub

Thank you for your feedback!

×









Search Results