aws_iam_groups Resource
Use the aws_iam_groups
InSpec audit resource to test properties of a collection of IAM groups.
For additional information, including details on parameters and properties, see the AWS documentation on IAM Groups.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_iam_groups
resource block identifies a group by group name.
describe aws_iam_groups('mygroup') do
it { should exist }
end
# Hash syntax for group name
describe aws_iam_groups(group_name: 'mygroup') do
it { should exist }
end
Parameters
This resource does not require any parameters.
Properties
group_names
- The group name.
group_ids
- The group ID.
arns
- The Amazon Resource Name of the group.
users
- Array of users associated with the group.
entries
- Provides access to the raw results of the query, which can be treated as an array of hashes.
has_inline_policies
- Boolean indicating whether or not the group has policies applied to it.
inline_policy_names
- The names of the policies (if any) which are applied to the group.
Examples
Ensure group contains a certain user.
describe aws_iam_groups do
it { should exist }
its('group_names') { should include 'prod-access-group' }
end
Ensure there are no groups with inline policies.
describe aws_iam_groups.where(has_inline_policies: true) do
its('group_names') { should be_empty }
end
Matchers
exist
The control will pass if a group with the given group name exists.
describe aws_iam_groups do
it { should exist }
end
AWS Permissions
Your Principal will need the IAM:Client:ListGroupsResponse
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.