aws_iam_user

Use the aws_iam_user InSpec audit resource to test properties of a single AWS IAM User.

Syntax

An aws_iam_user resource block declares the tests for a single AWS IAM User by user name.

describe aws_iam_user(user_name: 'psmith') do
  it { should exist }
end

Parameters

user_name (required)

This resource accepts a single parameter, the User’s username which uniquely identifies the User. This can be passed either as a string or as a user_name: 'value' key-value entry in a hash.

See also the AWS documentation on IAM Users.

Properties

Property Description
username The user’s username.
user_id The user’s ID.
user_arn The Amazon Resource Name of the user.
access_keys An array of hashes each containing metadata about the user’s Access Keys.
inline_policy_names The names of policies directly attached to the user.
attached_policy_names The name of standalone IAM policies which are attached to the user.
attached_policy_arns The arns of the standalone IAM policies which are attached to the user.
  • has_mfa_enabled
  • has_console_password

Examples

The following examples show how to use this InSpec audit resource.

Test that an IAM user does not exist
describe aws_iam_user(user_name: 'invalid-user') do
  it { should_not exist }
end
Test that an IAM user has MFA enabled
describe aws_iam_user('psmith') do
  it { should exist }
  it { should have_mfa_enabled }
end
Ensure a User has no Access Keys or Inline Policies
describe aws_iam_user('psmith') do
  it                         { should exist }
  its('access_keys')         { should be_empty }
  its('inline_policy_names') { should be_empty }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

it { should exist }

has_mfa_enabled

This will check if the requested User has Multi Factor Authentication enabled.

it { should have_mfa_enabled }

has_console_password

This will ensure the User has a console password set.

it { should have_console_password }

AWS Permissions

Your Principal will need the following permissions action set to allow: iam:GetUser iam:GetLoginProfile iam:ListMFADevices iam:ListAccessKeys iam:ListUserPolicies iam:ListAttachedUserPolicies