aws_sts_caller_identity Resource

Use the aws_sts_caller_identity InSpec audit resource to test properties of AWS IAM identity whose credentials are used in the current InSpec scan.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_sts_caller_identity resource block may be used to perform tests on details of the AWS credentials being used in the current Inspec scan. You can also test if the credentials belong to a GovCloud account or not.

describe aws_sts_caller_identity do
  it { should exist }
end

Parameters

name (required)

This resource does not expect any parameters.

Properties

arn

The AWS ARN associated with the calling entity.

account

The AWS account ID number of the account that owns or contains the calling entity.

user_id

The unique identifier of the calling entity.

For more info, see the API reference documentation

Examples

Check that the credentials used to run the scan is correct.

describe aws_sts_caller_identity do
  its("arn") { should match "arn:aws:iam::.*:user/service-account-inspec" }
end

Test if the account belongs to GovCloud.

describe aws_sts_caller_identity do
  it { should be_govcloud }
end

Skip a test if we are using GovCloud.

if aws_sts_caller_identity.govcloud?
  describe 'Skipping Root User MFA check as we are on GovCloud' do
    skip
  end
else
  describe aws_iam_root_user do
    it { should have_mfa_enabled }  
  end
end

Matchers

This resource has the following special matchers.

be_govcloud

The be_govcloud matcher tests if the account is a ‘GovCloud’ AWS Account.

describe aws_sts_caller_identity do
    it { should_not be_govcloud }
end

AWS Permissions

Your Principal will need the STS:Client:GetCallerIdentityResponse action with Effect set to Allow.