aws_iam_saml_provider Resource

Use the aws_iam_saml_provider InSpec audit resource to test properties of an AWS IAM SAML Provider.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

describe aws_iam_saml_provider('SAML_ARN') do
    it { should exist }
end

Parameters

saml_provider_arn (required)

This resource accepts a single parameter, the ARN of the SAML Provider. This can be passed either as a string or as a saml_provider_arn: 'value' key-value entry in a hash.

Properties

provider

The provider.

arn

The arn of the provider.

saml_metadata_document

Metadata document associated with the saml provider.

valid_until

The expiration date and time for the SAML provider.

create_date

The date and time, in ISO 8601 date-time format , when the role was created.

Syntax

An aws_iam_saml_provider resource block declares the tests for a single AWS IAM SAML Provider by Provider ARN.

describe aws_iam_saml_provider('arn:aws:iam::123456789012:saml-provider/FANCY') do
    it { should exist }
end

Examples

Ensure we have at least one provider currently valid.

describe aws_iam_saml_provider("arn:aws:iam::123456789012:saml-provider/FANCY") do
  it { should exist }
  its("arn") { should match("arn:aws:iam::.*:saml-provider\/FANCY") }
  its("valid_until") { should be > Time.now + 90 * 86400 }
    end

Matchers

For a full list of available matchers, visit the InSpec matchers page.

exist

The exists matcher tests if the filtered IAM SAML Provider(s) exists.

describe aws_iam_saml_provider('arn:aws:iam::123456789012:saml-provider/FANCY') do
  it { should exist }
end

You may also use it { should_not exist }.

AWS Permissions

Your Principal will need the IAM:Client:GetSAMLProviderResponse action with Effect set to Allow.