Skip to main content

aws_iam_root_user Resource

Use the aws_iam_root_user InSpec audit resource to test properties of an AWS IAM Root User.

For additional information, including details on parameters and properties, see the AWS documentation on Root Users.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_iam_root_user resource block declares the tests for a single AWS IAM Root User by user name.

describe aws_iam_root_user do
    it { should exist }
end

Parameters

This resource does not require any parameters.

Properties

summary_account
A hash containing a summary of the Root User’s account. Properties within this hash can be accessed and tested against. Please see the API Documentation for details on the available properties.
virtual_devices
A list of the virtual MFA devices in the AWS account.

Examples

Test that an IAM Root User has MFA enabled.

describe aws_iam_root_user do
  it { should have_mfa_enabled }
end

Test that an IAM Root User does not have an access key.

describe aws_iam_root_user do
  it { should_not have_access_key }
end

Test the IAM Root User has virtual MFA enabled.

describe aws_iam_root_user do
  it { should have_virtual_mfa_enabled }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_iam_root_user do
  it { should exist }
end

have_mfa_enabled

it { should have_mfa_enabled }    

have_virtual_mfa_enabled

it { should have_virtual_mfa_enabled }

have_access_key

it { should have_access_key }    

have_hardware_mfa_enabled

it { should have_hardware_mfa_enabled }    

AWS Permissions

Your Principal will need the following permissions action set to allow: IAM:Client:GetAccountSummaryResponse IAM:Client:ListVirtualMFADevicesResponse

Edit this page on GitHub

Thank you for your feedback!

×