Skip to main content

aws_iam_user Resource

Use the aws_iam_user InSpec audit resource to test properties of a single AWS IAM User.

For additional information, including details on parameters and properties, see the AWS documentation on IAM Users.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_iam_user resource block declares the tests for a single AWS IAM User by user name.

describe aws_iam_user(user_name: 'psmith') do
  it { should exist }
end

Parameters

user_name (required)

This resource accepts a single parameter, the User’s username which uniquely identifies the User. This can be passed either as a string or as a user_name: 'value' key-value entry in a hash.

Properties

username
The friendly name identifying the user.
user_id
The stable and unique string identifying the user.
user_arn
The Amazon Resource Name (ARN) that identifies the user.
access_keys
An array of hashes each containing metadata about the user’s Access Keys.
inline_policy_names
The names of policies directly attached to the user.
attached_policy_names
The name of standalone IAM policies which are attached to the user.
attached_policy_arns
The Amazon Resource Name (ARN) that identifies the user.
user_path
The path to the user.
user_create_date
The date and time, in ISO 8601 date-time format, when the user was created.
user_password_last_used
The date and time, in ISO 8601 date-time format, when the user’s password was last used to sign in to an Amazon Web Services website.
permissions_boundary
The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity.
user_tags
A list of tags that are associated with the user.
  • has_mfa_enabled
  • has_console_password

Examples

The following examples show how to use this InSpec audit resource.

Test that an IAM user does not exist.

describe aws_iam_user(user_name: 'invalid-user') do
  it { should_not exist }
end

Test that an IAM user has MFA enabled.

describe aws_iam_user('psmith') do
  it { should exist }
  it { should have_mfa_enabled }
end

Ensure a User has no Access Keys or Inline Policies.

describe aws_iam_user('psmith') do
  it                         { should exist }
  its('access_keys')         { should be_empty }
  its('inline_policy_names') { should be_empty }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

it { should exist }

has_mfa_enabled

This will check if the requested User has Multi Factor Authentication enabled.

it { should have_mfa_enabled }

has_console_password

This will ensure the User has a console password set.

it { should have_console_password }

AWS Permissions

Your Principal will need the following permissions action set to allow: IAM:Client:GetUserResponse IAM:Client:GetLoginProfileResponse IAM:Client:ListMFADevicesResponse IAM:Client:ListAccessKeysResponse IAM:Client:ListUserPoliciesResponse IAM:Client:ListAttachedUserPoliciesResponse

Edit this page on GitHub

Thank you for your feedback!

×