aws_sts_caller_identity

Use the aws_sts_caller_identity InSpec audit resource to test properties of AWS IAM identity whose credentials are used in the current InSpec scan.

Syntax

An aws_sts_caller_identity resource block may be used to perform tests on details of the AWS credentials being used in the current Inspec scan. You can also test if the credentials belong to a GovCloud account or not.

describe aws_sts_caller_identity do
  it { should exist }
end

Parameters

name (required)

This resource does not expect any parameters.

Properties

Property Description
arn The ARN of the IAM Identity

Examples

Check that the credentials used to run the scan is correct
    describe aws_sts_caller_identity do
      its("arn") { should match "arn:aws:iam::.*:user/service-account-inspec" }
    end
Test if the account belongs to GovCloud
    describe aws_sts_caller_identity do
      it { should be_govcloud }
    end
Skip a test if we are using GovCloud
    if aws_sts_caller_identity.govcloud?
      describe 'Skipping Root User MFA check as we are on GovCloud' do
        skip
      end
    else
      describe aws_iam_root_user do
        it { should have_mfa_enabled }  
      end
    end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

be_govcloud

The be_govcloud matcher tests if the account is a ‘GovCloud’ AWS Account.

describe aws_sts_caller_identity do
    it { should_not be_govcloud }
end