aws_iam_access_keys

Use the aws_iam_access_keys InSpec audit resource to test properties of some or all AWS IAM Access Keys.

Syntax

An aws_iam_access_keys resource block returns all IAM Access Keys and allows the testing of that group of Access Keys.

  describe aws_iam_access_keys do
    it                    { should exist }
    its('access_key_ids') { should include 'AKIA1111111111111111' }
  end

Parameters

This resources accepts a single optional parameter, a Username for which to retrieve all Access Keys. If not provided, all Access Keys for all Users will be retrieved.

username (optional)

The IAM Username for which to retrieve the Access Keys. This can be passed either as a string or as a username: 'value' key-value entry in a hash.

See also the AWS documentation on IAM Access Keys.

Properties

Property Description
access_key_id The ID of the Access Key.
username The IAM Username which is associated with the Access Key.
active Indicates if the status of the Key is Active.
inactive Indicates if the status of the Key is Inactive.
ever_used Indicates if the Key has ever been used.
never_used Indicates if the Key has never been used.
create_date The creation date of the Access Key.
created_days_ago How many days ago the Access Key was created.
created_hours_ago How many hours ago the Access Key was created.
created_with_user Boolean indicating if the Access Key was created with a User.
last_used_date The date the Access Key was last used.
last_used_hours_ago How many hours ago the Key was last used.
last_used_days_ago How many days ago the Key was last used.
user_created_date The date on which the associated User was created.
entries Provides access to the raw results of the query, which can be treated as an array of hashes.

Examples

Test all Active keys
describe aws_iam_access_keys.where(active: true) do
  its('access_key_ids') { should include 'AKIA1111111111111111' }
end
Ensure a User has no Access Keys
describe aws_iam_access_keys.where(username: 'untrusted-account') do
  it { should_not exist }
end

Matchers

For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

it { should exist }

it { should_not exist }

AWS Permissions

Your Principal will need the following permissions set to Allow: iam:GetUser iam:GetAccessKeyLastUsed iam:ListUsers iam:ListAccessKeys