Skip to main content

aws_sts_caller_identity resource

[edit on GitHub]

Use the aws_sts_caller_identity InSpec audit resource to test properties of AWS IAM identity whose credentials are used in the current InSpec scan.

Syntax

An aws_sts_caller_identity resource block may be used to perform tests on details of the AWS credentials being used in the current Inspec scan. You can also test if the credentials belong to a GovCloud account or not.

describe aws_sts_caller_identity do
  it { should exist }
end

Parameters

name (required)

This resource does not expect any parameters.

Properties

PropertyDescription
arnThe ARN of the IAM Identity

Examples

Check that the credentials used to run the scan is correct

describe aws_sts_caller_identity do
  its("arn") { should match "arn:aws:iam::.*:user/service-account-inspec" }
end

Test if the account belongs to GovCloud

describe aws_sts_caller_identity do
  it { should be_govcloud }
end

Skip a test if we are using GovCloud

if aws_sts_caller_identity.govcloud?
  describe 'Skipping Root User MFA check as we are on GovCloud' do
    skip
  end
else
  describe aws_iam_root_user do
    it { should have_mfa_enabled }
  end
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

be_govcloud

The be_govcloud matcher tests if the account is a ‘GovCloud’ AWS Account.

describe aws_sts_caller_identity do
    it { should_not be_govcloud }
end

Was this page helpful?