aws_iam_user Resource
Use the aws_iam_user
InSpec audit resource to test properties of a single AWS IAM User.
For additional information, including details on parameters and properties, see the AWS documentation on IAM Users.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_iam_user
resource block declares the tests for a single AWS IAM User by user name.
describe aws_iam_user(user_name: 'psmith') do
it { should exist }
end
Parameters
user_name
(required)This resource accepts a single parameter, the User’s username which uniquely identifies the User. This can be passed either as a string or as a
user_name: 'value'
key-value entry in a hash.
Properties
username
- The friendly name identifying the user.
user_id
- The stable and unique string identifying the user.
user_arn
- The Amazon Resource Name (ARN) that identifies the user.
access_keys
- An array of hashes each containing metadata about the user’s Access Keys.
inline_policy_names
- The names of policies directly attached to the user.
attached_policy_names
- The name of standalone IAM policies which are attached to the user.
attached_policy_arns
- The Amazon Resource Name (ARN) that identifies the user.
user_path
- The path to the user.
user_create_date
- The date and time, in ISO 8601 date-time format, when the user was created.
user_password_last_used
- The date and time, in ISO 8601 date-time format, when the user’s password was last used to sign in to an Amazon Web Services website.
permissions_boundary
- The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity.
user_tags
- A list of tags that are associated with the user.
- has_mfa_enabled
- has_console_password
Examples
The following examples show how to use this InSpec audit resource.
Test that an IAM user does not exist.
describe aws_iam_user(user_name: 'invalid-user') do
it { should_not exist }
end
Test that an IAM user has MFA enabled.
describe aws_iam_user('psmith') do
it { should exist }
it { should have_mfa_enabled }
end
Ensure a User has no Access Keys or Inline Policies.
describe aws_iam_user('psmith') do
it { should exist }
its('access_keys') { should be_empty }
its('inline_policy_names') { should be_empty }
end
Matchers
For a full list of available matchers, see our Universal Matchers page.This resource has the following special matchers.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
it { should exist }
has_mfa_enabled
This will check if the requested User has Multi Factor Authentication enabled.
it { should have_mfa_enabled }
has_console_password
This will ensure the User has a console password set.
it { should have_console_password }
AWS Permissions
Your Principal will need the following permissions action set to allow:
IAM:Client:GetUserResponse
IAM:Client:GetLoginProfileResponse
IAM:Client:ListMFADevicesResponse
IAM:Client:ListAccessKeysResponse
IAM:Client:ListUserPoliciesResponse
IAM:Client:ListAttachedUserPoliciesResponse