aws_iam_user resource
Use the aws_iam_user InSpec audit resource to test properties of a single AWS IAM User.
Syntax
An aws_iam_user resource block declares the tests for a single AWS IAM User by user name.
describe aws_iam_user(user_name: 'psmith') do
it { should exist }
end
Parameters
user_name (required)
This resource accepts a single parameter, the User’s username which uniquely identifies the User. This can be passed either as a string or as a user_name: 'value' key-value entry in a hash.
See also the AWS documentation on IAM Users.
Properties
| Property | Description |
|---|---|
| username | The user’s username. |
| user_id | The user’s ID. |
| user_arn | The Amazon Resource Name of the user. |
| access_keys | An array of hashes each containing metadata about the user’s Access Keys. |
| inline_policy_names | The names of policies directly attached to the user. |
| attached_policy_names | The name of standalone IAM policies which are attached to the user. |
| attached_policy_arns | The arns of the standalone IAM policies which are attached to the user. |
- has_mfa_enabled
- has_console_password
Examples
The following examples show how to use this InSpec audit resource.
Test that an IAM user does not exist
describe aws_iam_user(user_name: 'invalid-user') do
it { should_not exist }
end
Test that an IAM user has MFA enabled
describe aws_iam_user('psmith') do
it { should exist }
it { should have_mfa_enabled }
end
Ensure a User has no Access Keys or Inline Policies
describe aws_iam_user('psmith') do
it { should exist }
its('access_keys') { should be_empty }
its('inline_policy_names') { should be_empty }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not to test the entity should not exist.
it { should exist }
has_mfa_enabled
This will check if the requested User has Multi Factor Authentication enabled.
it { should have_mfa_enabled }
has_console_password
This will ensure the User has a console password set.
it { should have_console_password }
AWS Permissions
Your Principal will need the following permissions action set to allow: iam:GetUser iam:GetLoginProfile iam:ListMFADevices iam:ListAccessKeys iam:ListUserPolicies iam:ListAttachedUserPolicies
© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/resources/aws_iam_user/