aws_iam_password_policy Resource
Use the aws_iam_password_policy
InSpec audit resource to test properties of an AWS IAM Password Policy.
For additional information, including details on parameters and properties, see the AWS documentation on Auto Scaling Group.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_iam_password_policy
resource block declares the tests for an AWS IAM Password Policy.
describe aws_iam_password_policy do
it { should exist }
end
Parameters
This resource does not require any parameters.
Properties
minimum_password_length
- The minimum character count of the password policy.
max_password_age_in_days
- Integer representing in days how long a password may last before expiring.
number_of_passwords_to_remember
- Number of previous passwords to remember.
Examples
Test that a Password Policy meets your company’s requirements.
describe aws_iam_password_policy do
it { should require_uppercase_characters }
it { should require_lowercase_characters }
it { should require_numbers }
its('minimum_password_length') { should be > 8 }
end
Test that users can change their own passwords .
describe aws_iam_password_policy do
it { should allow_users_to_change_password }
end
Matchers
For a full list of available matchers, see our Universal Matchers page.This resource has the following special matchers.
exist
it { should exist }
prevent_password_reuse
it { should prevent_password_reuse }
expire_passwords
it { should expire_passwords }
require_numbers
it { should require_numbers }
require_symbols
it { should require_symbols }
require_lowercase_characters
it { should require_lowercase_characters }
require_uppercase_characters
it { should require_uppercase_characters}
allow_users_to_change_passwords
it { should allow_users_to_change_password }
All matchers can use the inverse should_not
predicate.
AWS Permissions
Your Principal will need the following permissions action set to allow: IAM:Client:GetAccountPasswordPolicyResponse