aws_iam_group

Use the aws_iam_group InSpec audit resource to test properties of a single IAM group.

Syntax

An aws_iam_group resource block identifies a group by group name.

describe aws_iam_group('mygroup') do
  it { should exist }
end

# Hash syntax for group name
describe aws_iam_group(group_name: 'mygroup') do
  it { should exist }
end

Parameters

group_name (required)

This resource accepts a single parameter, the Group Name which uniquely identifies the IAM Group. This can be passed either as a string or as a group_name: 'value' key-value entry in a hash.

See also the AWS documentation on IAM Groups.

Properties

Property Description
group_name The group name.
group_id The group ID.
arn The Amazon Resource Name of the group.
users Array of users associated with the group.

Examples

Ensure group contains a certain user
describe aws_iam_group('admin-group') do
  its('users') { should include 'deployment-service-account')}
end

Matchers

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_iam_group('AnExistingGroup') do
  it { should exist }
end

describe aws_iam_group('ANonExistentGroup') do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the iam:GetGroup action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.