aws_iam_access_keys Resource
Use the aws_iam_access_keys
InSpec audit resource to test properties of some or all AWS IAM Access Keys.
For additional information, including details on parameters and properties, see the AWS documentation on IAM Access Keys.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_iam_access_keys
resource block returns all IAM Access Keys and allows the testing of that group of Access Keys.
describe aws_iam_access_keys do
it { should exist }
its('access_key_ids') { should include 'AKIA1111111111111111' }
end
Parameters
This resources accepts a single optional parameter, a Username for which to retrieve all Access Keys. If not provided, all Access Keys for all Users will be retrieved.
username
(optional)The IAM Username for which to retrieve the Access Keys. This can be passed either as a string or as a
username: 'value'
key-value entry in a hash.
Properties
access_key_id
- The ID of the Access Key.
username
- The IAM Username which is associated with the Access Key.
active
- Indicates if the status of the Key is Active.
inactive
- Indicates if the status of the Key is Inactive.
ever_used
- Indicates if the Key has ever been used.
never_used
- Indicates if the Key has never been used.
create_date
- The creation date of the Access Key.
created_days_ago
- How many days ago the Access Key was created.
created_hours_ago
- How many hours ago the Access Key was created.
created_with_user
- Boolean indicating if the Access Key was created with a user.
last_used_date
- The date the Access Key was last used.
last_used_hours_ago
- How many hours ago the Key was last used.
last_used_days_ago
- How many days ago the Key was last used.
user_created_date
- The date on which the associated User was created.
entries
- Provides access to the raw results of the query, which can be treated as an array of hashes.
Examples
Test all Active keys.
describe aws_iam_access_keys.where(active: true) do
its('access_key_ids') { should include 'AKIA1111111111111111' }
end
Ensure a User has no Access Keys.
describe aws_iam_access_keys.where(username: 'untrusted-account') do
it { should_not exist }
end
Matchers
For a full list of available matchers, visit the InSpec matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
it { should exist }
it { should_not exist }
AWS Permissions
Your Principal will need the IAM:Client:GetAccessKeyLastUsedResponse
, IAM:Client:ListAccessKeysResponse
and IAM:Client:ListUsersResponse
action with Effect set to Allow.
You can find detailed documentation at Amazon Route 53