Skip to main content

aws_iam_password_policy Resource

Use the aws_iam_password_policy InSpec audit resource to test properties of an AWS IAM Password Policy.

For additional information, including details on parameters and properties, see the AWS documentation on Auto Scaling Group.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_iam_password_policy resource block declares the tests for an AWS IAM Password Policy.

describe aws_iam_password_policy do
  it { should exist }
end

Parameters

This resource does not require any parameters.

Properties

minimum_password_length
The minimum character count of the password policy.
max_password_age_in_days
Integer representing in days how long a password may last before expiring.
number_of_passwords_to_remember
Number of previous passwords to remember.

Examples

Test that a Password Policy meets your company’s requirements.

describe aws_iam_password_policy do
  it                             { should require_uppercase_characters }
  it                             { should require_lowercase_characters }
  it                             { should require_numbers }
  its('minimum_password_length') { should be > 8 }
end

Test that users can change their own passwords .

describe aws_iam_password_policy do
  it { should allow_users_to_change_password }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exist

it { should exist }

prevent_password_reuse

it { should prevent_password_reuse }

expire_passwords

it { should expire_passwords }

require_numbers

it { should require_numbers }

require_symbols

it { should require_symbols }

require_lowercase_characters

it { should require_lowercase_characters }

require_uppercase_characters

it { should require_uppercase_characters}

allow_users_to_change_passwords

it { should allow_users_to_change_password }

All matchers can use the inverse should_not predicate.

AWS Permissions

Your Principal will need the following permissions action set to allow: IAM:Client:GetAccountPasswordPolicyResponse

Edit this page on GitHub

Thank you for your feedback!

×