aws_iam_root_user

Use the aws_iam_root_user InSpec audit resource to test properties of an AWS IAM Root User.

Syntax

An aws_iam_root_user resource block declares the tests for a single AWS IAM Root User by user name.

describe aws_iam_root_user do
    it { should exist }
end

Parameters

This resource does not expect any parameters.

See also the AWS documentation on Root Users.

Properties

Property Description
summary_account A hash containing a summary of the Root User’s account. Properties within this hash can be accessed and tested against. Please see the API Documentation for details on the available properties.
virtual_devices A list of the virtual MFA devices in the AWS account.

Examples

Test that an IAM Root User has MFA enabled
describe aws_iam_root_user do
  it { should have_mfa_enabled }
end
Test that an IAM Root User does not have an access key
describe aws_iam_root_user do
  it { should_not have_access_key }
end
Test the IAM Root User has virtual MFA enabled
describe aws_iam_root_user do
  it { should have_virtual_mfa_enabled }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_iam_root_user do
  it { should exist }
end

havemfaenabled

  it { should have_mfa_enabled }    

havevirtualmfa_enabled

  it { should have_virtual_mfa_enabled }

haveaccesskey

  it { should have_access_key }    

havehardwaremfa_enabled

  it { should have_hardware_mfa_enabled }    

AWS Permissions

Your Principal will need the following permissions action set to allow: iam:GetAccountSummary iam:ListVirtualMFADevices