aws_iam_managed_policies Resource
Use the aws_iam_managed_policies
InSpec audit resource to test the properties of a collection of AWS IAM managed policies.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
The aws_iam_managed_policies
resource returns a collection of IAM managed policies and allows testing of that collection.
describe aws_iam_managed_policies do
its('policy_names') { should include('POLICY_NAME') }
end
This resource allows filtering by scope, which are:
- To list only AWS-managed policies, set
scope
toAWS
. - To list only the customer-managed policies in your AWS account, set
scope
toLocal
. - If a scope is not provided or if
scope
is set toALL
, all policies are returned.
describe aws_iam_managed_policies(scope: 'AWS') do
it { should exist }
end
describe aws_iam_managed_policies(scope: 'Local') do
it { should exist }
end
describe aws_iam_managed_policies(scope: 'ALL') do
it { should exist }
end
See the AWS documentation on IAM Managed Policy for additional information.
Parameters
scope
(optional)
scope
accepts three possible values, AWS
, Local
, or ALL
:
AWS
returns AWS-managed policies.Local
returns customer-managed policies.ALL
returns all policies.
- : Specify a scope by passing a key-value entry in a hash:
scope: 'VALUE'
. If ommitted, all policies are returned.
Properties
arns
- A list of the ARN identifiers of the policies.
Field:
arn
policy_ids
- A list of the stable and unique strings identifying the policies.
Field:
policy_id
policy_names
- A list of the friendly names (not ARN) identifying the policies.
Field:
policy_name
attachment_counts
- A list of the counts of attached entities for each policy.
Field:
attachment_count
attached_groups
- A list of the list of group names of the groups attached to each policy.
Field:
attached_group
default_version_ids
- A list of the identifier for the default version of the policy.
Field:
default_version_id
Examples
Ensure a specific policy exists.
describe aws_iam_managed_policies do
its('policy_names') { should include('POLICY_NAME') }
end
Allow at most 100 IAM Policies on the account.
describe aws_iam_managed_policies do
its('polict_ids.count') { should be <= 100}
end
Matchers
For a full list of available matchers, visit the InSpec matchers page.
exist
The control passes if the describe returns at least one result.
Use should
to test the entity should exist.
describe aws_iam_managed_policies.where( PROPERTY: PROPERTY_VALUE) do
it { should exist }
end
Use should_not
to test the entity should not exist.
describe aws_iam_managed_policies.where( PROPERTY: PROPERTY_VALUE) do
it { should_not exist }
end
AWS Permissions
Your Principal will need the iam:ListPolicies
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.