aws_iam_managed_policy Resource

Use the aws_iam_managed_policy InSpec audit resource to test the properties of an AWS IAM managed policy.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

The aws_iam_managed_policy resource returns an IAM managed policy and allows testing of that policy.

describe aws_iam_managed_policy(policy_arn: 'POLICY_ARN') do
  its('policy_name') { should eq 'POLICY_NAME' }
end

arn: The ARN identifier of the specified policy.
policy_id: The stable and unique string identifying the policy.
policy_name: The friendly name (not ARN) identifying the policy.
attachment_count: The count of attached entities for each policy.
attached_group: The list of group names of the groups attached to each policy.
default_version_id: The identifier for the default version of the policy.

Test that a specific policy name exists.

describe aws_iam_managed_policy(policy_arn: 'POLICY_ARN') do
  its('policy_name') { should eq 'POLICY_NAME' }
end

Test that a specific policy ID exists.

describe aws_iam_managed_policy(policy_arn: 'POLICY_ARN') do
  its('policy_id') { should eq 'POLICY_ID'}
end

For a full list of available matchers, visit the InSpec matchers page.

The control passes if the describe method returns at least one result.

Use should to test an entity that should exist.

describe aws_iam_managed_policy(policy_arn: 'POLICY_ARN').where( PROPERTY: PROPERTY_VALUE ) do
  it { should exist }
end

Use should_not to test an entity that should not exist.

describe aws_iam_managed_policy(policy_arn: 'POLICY_ARN').where( PROPERTY: PROPERTY_VALUE ) do
  it { should_not exist }
end

Your Principal will need the iam:ListPolicies action with Effect set to Allow.