inspec/docs/resources/aws_iam_root_user.md

---
title: About the aws_iam_root_user Resource
---

# aws_iam_root_user

Use the `aws_iam_root_user` InSpec audit resource to test properties of the root user (owner of the account).

To test properties of all or multiple users, use the `aws_iam_users` resource.

To test properties of a specific AWS user use the `aws_iam_user` resource.

<br>

## Syntax

An `aws_iam_root_user` resource block requires no parameters but has several matchers

    describe aws_iam_root_user do
      its { should have_mfa_enabled }
    end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that the AWS root account has at-least one access key

    describe aws_iam_root_user do
      it { should have_access_key }
    end

### Test that the AWS root account has Multi-Factor Authentication enabled

    describe aws_iam_root_user do
      it { should have_mfa_enabled }
    end

<br>

## Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers (such as `exist`) please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

### have_mfa_enabled

The `have_mfa_enabled` matcher tests if the AWS root user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.

    it { should have_mfa_enabled }

### have_access_key

The `have_access_key` matcher tests if the AWS root user has at least one access key.

    it { should have_access_key }
Documentation for existing resources * Update docs in source to use matcher-style calls, not properties-as-predicates Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Main doc file for aws_iam_user Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Add documentation for existing resources This adds documentation for the following resources, including custom matchers: - aws_ec2_instance - aws_iam_access_key - aws_iam_password_policy - aws_iam_root_user - aws_iam_users Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix `aws_iam_users` example (Console + No MFA) (#104) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Correct copypasta Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Remove misleading singular matcher information from the plural docs for aws_iam_users Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Correct `aws-iam-userss` typo (#105) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add EC2 instance state info Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * test commit Signed-off-by: kgarmoe <kgarmoe@chef.io> * copy edits Signed-off-by: kgarmoe <kgarmoe@chef.io> * Yikes, forgot to save after correcting a merge conflict Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2017-10-27 20:31:36 +00:00			`---`
			`title: About the aws_iam_root_user Resource`
			`---`

			`# aws_iam_root_user`

			Use the `aws_iam_root_user` InSpec audit resource to test properties of the root user (owner of the account).

			To test properties of all or multiple users, use the `aws_iam_users` resource.

			To test properties of a specific AWS user use the `aws_iam_user` resource.

			`<br>`

			`## Syntax`

			An `aws_iam_root_user` resource block requires no parameters but has several matchers

			`describe aws_iam_root_user do`
			`its { should have_mfa_enabled }`
			`end`

			`<br>`

			`## Examples`

			`The following examples show how to use this InSpec audit resource.`

Correct access_key detection on aws_iam_root_user (#198) Signed-off-by: Rony Xavier <rx294@nyu.edu> 2018-01-23 16:01:51 +00:00			`### Test that the AWS root account has at-least one access key`
Documentation for existing resources * Update docs in source to use matcher-style calls, not properties-as-predicates Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Main doc file for aws_iam_user Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Add documentation for existing resources This adds documentation for the following resources, including custom matchers: - aws_ec2_instance - aws_iam_access_key - aws_iam_password_policy - aws_iam_root_user - aws_iam_users Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix `aws_iam_users` example (Console + No MFA) (#104) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Correct copypasta Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Remove misleading singular matcher information from the plural docs for aws_iam_users Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Correct `aws-iam-userss` typo (#105) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add EC2 instance state info Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * test commit Signed-off-by: kgarmoe <kgarmoe@chef.io> * copy edits Signed-off-by: kgarmoe <kgarmoe@chef.io> * Yikes, forgot to save after correcting a merge conflict Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2017-10-27 20:31:36 +00:00
			`describe aws_iam_root_user do`
Correct access_key detection on aws_iam_root_user (#198) Signed-off-by: Rony Xavier <rx294@nyu.edu> 2018-01-23 16:01:51 +00:00			`it { should have_access_key }`
Documentation for existing resources * Update docs in source to use matcher-style calls, not properties-as-predicates Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Main doc file for aws_iam_user Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Add documentation for existing resources This adds documentation for the following resources, including custom matchers: - aws_ec2_instance - aws_iam_access_key - aws_iam_password_policy - aws_iam_root_user - aws_iam_users Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix `aws_iam_users` example (Console + No MFA) (#104) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Correct copypasta Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Remove misleading singular matcher information from the plural docs for aws_iam_users Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Correct `aws-iam-userss` typo (#105) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add EC2 instance state info Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * test commit Signed-off-by: kgarmoe <kgarmoe@chef.io> * copy edits Signed-off-by: kgarmoe <kgarmoe@chef.io> * Yikes, forgot to save after correcting a merge conflict Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2017-10-27 20:31:36 +00:00			`end`

			`### Test that the AWS root account has Multi-Factor Authentication enabled`

			`describe aws_iam_root_user do`
			`it { should have_mfa_enabled }`
			`end`

			`<br>`

			`## Matchers`

			This InSpec audit resource has the following special matchers. For a full list of available matchers (such as `exist`) please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

			`### have_mfa_enabled`

			The `have_mfa_enabled` matcher tests if the AWS root user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.

			`it { should have_mfa_enabled }`
Correct access_key detection on aws_iam_root_user (#198) Signed-off-by: Rony Xavier <rx294@nyu.edu> 2018-01-23 16:01:51 +00:00
			`### have_access_key`

			The `have_access_key` matcher tests if the AWS root user has at least one access key.

			`it { should have_access_key }`