inspec/docs/resources/aws_iam_user.md.erb

---
title: About the aws_iam_user Resource
platform: aws
---

# aws\_iam\_user

Use the `aws_iam_user` Chef InSpec audit resource to test properties of a single AWS IAM user.

To test properties of more than one user, use the `aws_iam_users` resource.

To test properties of the special AWS root user (which owns the account), use the `aws_iam_root_user` resource.

<br>

## Availability

### Installation

This resource is distributed along with Chef InSpec itself. You can use it automatically.

### Version

This resource first became available in v2.0.16 of InSpec.

## Resource Parameters

An `aws_iam_user` resource block declares a user by name, and then lists tests to be performed.

    describe aws_iam_user(username: 'test_user') do
      it { should exist }
    end

<br>

## Examples

The following examples show how to use this Chef InSpec audit resource.

### Test that a user does not exist

    describe aws_iam_user(username: 'gone') do
      it { should_not exist }
    end

### Test that a user has multi-factor authentication enabled

    describe aws_iam_user(username: 'test_user') do
      it { should have_mfa_enabled }
    end

### Test that a service user does not have a password

    describe aws_iam_user(username: 'test_user') do
      it { should have_console_password }
    end

<br>

## Properties

### attached\_policy\_arns

Returns a list of IAM Managed Policy ARNs as strings that identify the policies that are attached to the user. If there are no attached policies, returns an empty list.

    describe aws_iam_user('bob') do
      # This is a customer-managed policy
      its('attached_policy_arns') { should include 'arn:aws:iam::123456789012:policy/test-inline-policy-01' }
      # This is an AWS-managed policy
      its('attached_policy_arns') { should include 'arn:aws:iam::aws:policy/AlexaForBusinessGatewayExecution' }
    end

### attached\_policy\_names

Returns a list of IAM Managed Policy Names as strings that identify the policies that are attached to the user. If there are no attached policies, returns an empty list.

    describe aws_iam_user('bob') do
      # This is a customer-managed policy
      its('attached_policy_names') { should include 'test-inline-policy-01' }
      # This is an AWS-managed policy
      its('attached_policy_names') { should include 'AlexaForBusinessGatewayExecution' }
    end

### inline\_policy\_names

Returns a list of IAM Inline Policy Names as strings that identify the inline policies that are directly embedded in the user. If there are no embedded policies, returns an empty list.

    describe aws_iam_user('bob') do
      its('inline_policy_names') { should include 'test-inline-policy-01' }
      its('inline_policy_names.count') { should eq 1 }
    end


## Matchers

This Chef InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [universal matchers page](https://www.inspec.io/docs/reference/matchers/).

### have\_attached\_policies

The `have\_attached\_policies` matcher tests if the user has at least one IAM managed policy attached to the user.

    describe aws_iam_user('bob') do
      it { should_not have_attached_policies }
    end

### have\_console\_password

The `have_console_password` matcher tests if the user has a password that could be used to log into the AWS web console.

    it { should have_console_password }

### have\_inline\_policies

The `have\_inline\_policies` matcher tests if the user has at least one IAM policy embedded directly in the user record.

    describe aws_iam_user('bob') do
      it { should_not have_inline_policies }
    end

### have\_mfa\_enabled

The `have_mfa_enabled` matcher tests if the user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.

    it { should have_mfa_enabled }

## AWS Permissions

Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetUser`, `iam:GetLoginProfile`, `iam:ListMFADevices`, `iam:ListAccessKeys`, `iam:ListUserPolicies`, and `iam:ListAttachedUserPolicies` actions set to allow.

You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).