Skip to main content

alicloud_ram_users Resource

Use the alicloud_ram_users InSpec audit resource to test properties of some or all Alicloud RAM users.

Syntax

An alicloud_ram_users resource block returns all RAM users and allows the testing of that group of RAM users.

describe alicloud_ram_users do
  its('user_names') { should include 'payroll-admin' }
end

Parameters

This resource does not require any parameters.

Properties

user_names
The user names of the returned RAM users.
user_ids
The unique IDs of the returned RAM users.
display_names
Display names of the returned RAM users.
comments
Comments about the returned RAM users.
create_dates
The times when the returned RAM users were created.
update_dates
The times when the information about the returned RAM users was last updated.
access_keys
An array of hashes each containing metadata about a user’s access keys (active and inactive).
active_access_keys
An array of hashes each containing metadata about a user’s active access keys.
has_access_key
Boolean indicating whether each user has any access keys or not.
has_active_access_key
Boolean indicating whether each user has any active access keys or not.
has_console_access
Boolean indicating whether each user has console access.
has_console_and_key_access
Boolean indicating whether each user has both console access as well as one or more active access keys.
has_mfa_enabled
Boolean indicating whether each user has MFA enabled or not.
entries
Provides access to the raw results of the query, which can be treated as an array of hashes.

Examples

Ensure there are no RAM users who do not have MFA enabled.

describe alicloud_ram_users.where(has_mfa_enabled: false) do
  it { should_not exist }
**less readable test, but it gives better output.**

end

Ensure there are no RAM users who have console access and do not have MFA enabled.

alicloud_ram_users.where(has_console_access: true).user_names.each do |u|
  describe alicloud_ram_user_mfa(u) do
    it { should exist }
  end
end

Ensure there are no RAM users with console access and one or more active access keys.

describe alicloud_ram_users.where(has_console_and_key_access: true) do
  its('user_names') { should be_empty }
end
or
alicloud_ram_users.where { active_access_keys.count > 0 }.user_names.each do |u|
  describe alicloud_ram_user(u) do
    its('has_console_access') { should be false }
  end
end

Matchers

For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe alicloud_ram_users.where( <property>: <value>) do
  it { should exist }
end
describe alicloud_ram_users.where( <property>: <value>) do
  it { should_not exist }
end

Alicloud Permissions

Your Principal will need the following permissions action with Effect set to Allow: ram:Listusers, ram:GetLoginProfile, ram:ListAccessKeys, ram:GetUserMFAInfo

See the Alibaba Cloud Resource Access Management documentation. See the documentation on authentication to RAM APIs.

Edit this page on GitHub

Thank you for your feedback!

×