aws_iam_users Resource
Use the aws_iam_users
InSpec audit resource to test properties of some or all AWS IAM Users.
For additional information, including details on parameters and properties, see the AWS documentation on IAM Users.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_iam_users
resource block returns all IAM Users and allows the testing of that group of Users.
describe aws_iam_users do
its('usernames') { should include 'payroll-admin' }
end
Parameters
This resource does not require any parameters.
Properties
usernames
- The usernames of the returned Users.
user_arns
- The Amazon Resource Names of the returned Users.
user_ids
- The IDs of the returned Users.
access_keys
- Array of Access Keys belonging to each User.
has_attached_policies
- Whether or not the User has IAM Policies attached.
attached_policy_names
- The names (if any) of the IAM Policies attached to the User.
attached_policy_arns
- The Amazon Resource Names (if any) of the IAM Policies attached to the User.
has_console_password
- Whether or not the User has a console password set.
has_inline_policies
- Boolean indicating whether or not the User has policies set directly on them.
inline_policy_names
- The names of the policies (if any) which are directly on the User.
has_mfa_enabled
- Boolean indicating whether the User has MFA enabled or not.
password_ever_used?
- Whether the user has even used their console password.
password_last_used_days_ago
- How long ago, in days, since the user last used their console password. Returns
-1
if the password has never been used. entries
- Provides access to the raw results of the query, which can be treated as an array of hashes.
Examples
Ensure there are no Users who do not have MFA enabled.
describe aws_iam_users.where( has_mfa_enabled: false) do
it { should_not exist }
end
Ensure there are no Users with inline policies.
describe aws_iam_users.where(has_inline_policies: true) do
its('usernames') { should be_empty }
end
Ensure there are no Users with attached policies.
describe aws_iam_users.where(has_attached_policies: true) do
its('usernames') { should be_empty }
end
Matchers
For a full list of available matchers, visit the InSpec matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_iam_users.where( <property>: <value>) do
it { should exist }
end
describe aws_iam_users.where( <property>: <value>) do
it { should_not exist }
end
AWS Permissions
Your Principal will need the following permissions set to Allow:
IAM:Client:GetLoginProfileResponse
IAM:Client:ListUsersResponse
IAM:Client:ListMFADevicesResponse
IAM:Client:ListAccessKeysResponse
IAM:Client:ListUserPoliciesResponse
IAM:Client:ListAttachedUserPoliciesResponse