aws_iam_groups Resource

Use the aws_iam_groups InSpec audit resource to test properties of a collection of IAM groups.

For additional information, including details on parameters and properties, see the AWS documentation on IAM Groups.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_iam_groups resource block identifies a group by group name.

describe aws_iam_groups('mygroup') do
  it { should exist }
end

# Hash syntax for group name

describe aws_iam_groups(group_name: 'mygroup') do
  it { should exist }
end

Parameters

This resource does not require any parameters.

Properties

group_names

The group name.

group_ids

The group ID.

arns

The Amazon Resource Name of the group.

users

Array of users associated with the group.

entries

Provides access to the raw results of the query, which can be treated as an array of hashes.

has_inline_policies

Boolean indicating whether or not the group has policies applied to it.

inline_policy_names

The names of the policies (if any) which are applied to the group.

Examples

Ensure group contains a certain user.

describe aws_iam_groups do
  it                 { should exist }
  its('group_names') { should include 'prod-access-group' }
end

Ensure there are no groups with inline policies.

describe aws_iam_groups.where(has_inline_policies: true) do
  its('group_names') { should be_empty }
end

Matchers

exist

The control will pass if a group with the given group name exists.

describe aws_iam_groups do
  it { should exist }
end

AWS Permissions

Your Principal will need the IAM:Client:ListGroupsResponse action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.