Skip to main content

aws_iam_user resource

[edit on GitHub]

Use the aws_iam_user InSpec audit resource to test properties of a single AWS IAM User.

Syntax

An aws_iam_user resource block declares the tests for a single AWS IAM User by user name.

describe aws_iam_user(user_name: 'psmith') do
  it { should exist }
end

Parameters

user_name (required)

This resource accepts a single parameter, the User’s username which uniquely identifies the User. This can be passed either as a string or as a user_name: 'value' key-value entry in a hash.

See also the AWS documentation on IAM Users.

Properties

PropertyDescription
usernameThe user’s username.
user_idThe user’s ID.
user_arnThe Amazon Resource Name of the user.
access_keysAn array of hashes each containing metadata about the user’s Access Keys.
inline_policy_namesThe names of policies directly attached to the user.
attached_policy_namesThe name of standalone IAM policies which are attached to the user.
attached_policy_arnsThe arns of the standalone IAM policies which are attached to the user.
  • has_mfa_enabled
  • has_console_password

Examples

The following examples show how to use this InSpec audit resource.

Test that an IAM user does not exist

describe aws_iam_user(user_name: 'invalid-user') do
  it { should_not exist }
end

Test that an IAM user has MFA enabled

describe aws_iam_user('psmith') do
  it { should exist }
  it { should have_mfa_enabled }
end

Ensure a User has no Access Keys or Inline Policies

describe aws_iam_user('psmith') do
  it                         { should exist }
  its('access_keys')         { should be_empty }
  its('inline_policy_names') { should be_empty }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

it { should exist }

has_mfa_enabled

This will check if the requested User has Multi Factor Authentication enabled.

it { should have_mfa_enabled }

has_console_password

This will ensure the User has a console password set.

it { should have_console_password }

AWS Permissions

Your Principal will need the following permissions action set to allow: iam:GetUser iam:GetLoginProfile iam:ListMFADevices iam:ListAccessKeys iam:ListUserPolicies iam:ListAttachedUserPolicies

Was this page helpful?