2017-10-27 20:31:36 +00:00
---
title: About the aws_iam_access_key Resource
2018-02-13 19:30:07 +00:00
platform: aws
2017-10-27 20:31:36 +00:00
---
2018-02-15 02:23:29 +00:00
# aws\_iam\_access\_key
2017-10-27 20:31:36 +00:00
Use the `aws_iam_access_key` InSpec audit resource to test properties of a single AWS IAM access key.
<br>
## Syntax
2018-05-10 18:57:53 +00:00
An `aws_iam_access_key` resource block declares the tests for a single AWS IAM access key. An access key is uniquely identified by its access key id.
2017-10-27 20:31:36 +00:00
2018-02-08 04:26:37 +00:00
# This is unique - the key will either exist or it won't, but it will never be an error.
describe aws_iam_access_key(access_key_id: 'AKIA12345678ABCD') do
2017-10-27 20:31:36 +00:00
it { should exist }
it { should_not be_active }
its('create_date') { should be > Time.now - 365 * 86400 }
its('last_used_date') { should be > Time.now - 90 * 86400 }
end
2018-02-08 04:26:37 +00:00
# id is an alias for access_key_id
describe aws_iam_access_key(id: 'AKIA12345678ABCD') do
# Same
end
2018-05-10 18:57:53 +00:00
2018-02-08 04:26:37 +00:00
2018-02-20 03:09:51 +00:00
Access keys are associated with IAM users, who may have zero, one or two access keys. You may also lookup an access key by username. If the user has more than one access key, an error occurs (You may use `aws_iam_access_keys` with the `username` resource parameter to access a user's keys when they have multiple keys.)
2018-02-08 04:26:37 +00:00
2018-02-20 03:09:51 +00:00
# This is not unique. If the user has zero or one keys, it is not an error.
2018-02-08 04:26:37 +00:00
# If they have two, it is an error.
describe aws_iam_access_key(username: 'roderick') do
it { should exist }
it { should be_active }
end
2018-02-13 19:30:07 +00:00
You may also use both username and access key id to ensure that a particular key is associated with a particular user.
2018-02-08 04:26:37 +00:00
describe aws_iam_access_key(username: 'roderick', access_key_id: 'AKIA12345678ABCD') do
it { should exist }
end
2017-10-27 20:31:36 +00:00
<br>
2018-02-14 01:42:39 +00:00
## Examples
The following examples show how to use this InSpec audit resource.
### Test that an IAM access key is not active
describe aws_iam_access_key(username: 'username', id: 'access-key-id') do
it { should_not be_active }
end
### Test that an IAM access key is older than one year
describe aws_iam_access_key(username: 'username', id: 'access-key-id') do
its('create_date') { should be > Time.now - 365 * 86400 }
end
### Test that an IAM access key has been used in the past 90 days
describe aws_iam_access_key(username: 'username', id: 'access-key-id') do
its('last_used_date') { should be > Time.now - 90 * 86400 }
end
<br>
2018-02-13 19:30:07 +00:00
## Properties
2017-10-27 20:31:36 +00:00
2018-02-13 19:30:07 +00:00
* `access_key_id`, `create_date`, `last_used_date`, `username`
2017-10-27 20:31:36 +00:00
<br>
2018-02-14 01:42:39 +00:00
## Property Examples
2018-02-08 04:26:37 +00:00
2018-02-15 02:23:29 +00:00
### access\_key\_id
2018-02-08 04:26:37 +00:00
The unique ID of this access key.
describe aws_iam_access_key(username: 'bob')
its('access_key_id') { should cmp 'AKIA12345678ABCD' }
end
2018-02-15 02:23:29 +00:00
### create\_date
2018-02-08 04:26:37 +00:00
The date and time, as a Ruby DateTime, at which the access key was created.
# Is the access key less than a year old?
describe aws_iam_access_key(username: 'bob')
its('create_date') { should be > Time.now - 365 * 86400 }
end
2018-02-15 02:23:29 +00:00
### last\_used\_date
2018-02-08 04:26:37 +00:00
The date and time, as a Ruby DateTime, at which the access key was last_used.
# Has the access key been used in the last year?
describe aws_iam_access_key(username: 'bob')
its('last_used_date') { should be > Time.now - 365 * 86400 }
end
### username
The IAM user that owns this key.
describe aws_iam_access_key(access_key_id: 'AKIA12345678ABCD')
its('username') { should cmp 'bob' }
end
2018-02-13 19:30:07 +00:00
<br>
2017-10-27 20:31:36 +00:00
## Matchers
2018-02-16 03:07:18 +00:00
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
2017-10-27 20:31:36 +00:00
2018-02-15 02:23:29 +00:00
### be\_active
2017-10-27 20:31:36 +00:00
The `be_active` matcher tests if the described IAM access key is active.
2018-02-15 04:31:56 +00:00
it { should be_active }
2018-05-10 18:57:53 +00:00
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:ListAccessKeys` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).