aws_iam_password_policy
Use the aws_iam_password_policy
InSpec audit resource to test properties of an AWS IAM Password Policy.
Syntax
An aws_iam_password_policy
resource block declares the tests for an AWS IAM Password Policy.
describe aws_iam_password_policy do
it { should exist }
end
Parameters
This resource does not expect any parameters.
See also the AWS documentation on Auto Scaling Group.
Properties
Property | Description |
---|---|
minimum_password_length | The minimum character count of the password policy. |
max_password_age_in_days | Integer representing in days how long a password may last before expiring. |
number_of_passwords_to_remember | Number of previous passwords to remember. |
Examples
Test that a Password Policy meets your company’s requirements.
describe aws_iam_password_policy do
it { should require_uppercase_characters }
it { should require_lowercase_characters }
it { should require_numbers }
its('minimum_password_length') { should be > 8 }
end
Test that users can change their own passwords
describe aws_iam_password_policy do
it { should allow_users_to_change_password }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
exist
it { should exist }
prevent_password_reuse
it { should prevent_password_reuse }
expire_passwords
it { should expire_passwords }
require_numbers
it { should require_numbers }
require_symbols
it { should require_symbols }
require_lowercase_characters
it { should require_lowercase_characters }
require_uppercase_characters
it { should require_uppercase_characters}
allow_users_to_change_passwords
it { should allow_users_to_change_password }
All matchers can use the inverse should_not
predicate.
AWS Permissions
Your Principal will need the following permissions action set to allow: iam:GetAccountPasswordPolicy