aws_iam_groups

Use the aws_iam_groups InSpec audit resource to test properties of a collection of IAM groups.

Syntax

An aws_iam_groups resource block identifies a group by group name.

describe aws_iam_groups('mygroup') do
  it { should exist }
end

# Hash syntax for group name
describe aws_iam_groups(group_name: 'mygroup') do
  it { should exist }
end

Parameters

This resource does not expect any parameters.

See also the AWS documentation on IAM Groups.

Properties

Property Description
group_names The group name.
group_ids The group ID.
arns The Amazon Resource Name of the group.
users Array of users associated with the group.
entries Provides access to the raw results of the query, which can be treated as an array of hashes.

Examples

Ensure group contains a certain user
describe aws_iam_groups do
  it                 { should exist }
  its('group_names') { should include 'prod-access-group' }
end

Matchers

exist

The control will pass if a group with the given group name exists.

describe aws_iam_groups do
  it { should exist }
end

AWS Permissions

Your Principal will need the iam:ListGroup action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.