inspec/docs/resources/aws_iam_root_user.md.erb

---
title: About the aws_iam_root_user Resource
platform: aws
---

# aws\_iam\_root\_user

Use the `aws_iam_root_user` InSpec audit resource to test properties of the root user (owner of the account).

To test properties of all or multiple users, use the `aws_iam_users` resource.

To test properties of a specific AWS user use the `aws_iam_user` resource.

<br>

## Availability

### Installation

This resource is distributed along with InSpec itself. You can use it automatically.

### Version

This resource first became available in v2.0.16 of InSpec.

## Syntax

An `aws_iam_root_user` resource block requires no parameters but has several matchers.

    describe aws_iam_root_user do
      it { should have_mfa_enabled }
    end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that the AWS root account has at-least one access key

    describe aws_iam_root_user do
      it { should have_access_key }
    end

### Test that the AWS root account has Multi-Factor Authentication enabled

    describe aws_iam_root_user do
      it { should have_mfa_enabled }
    end

<br>

## Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

### have\_mfa\_enabled

The `have_mfa_enabled` matcher tests if the AWS root user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.

    it { should have_mfa_enabled }

### have\_hardware\_mfa\_enabled

The `have_hardware_mfa_enabled` matcher tests if the AWS root user has Hardware Multi-Factor Authentication device enabled, requiring them to enter a secondary code when they login to the web console.

    it { should have_hardware_mfa_enabled }

### have\_virtual\_mfa\_enabled

The `have_virtual_mfa_enabled` matcher tests if the AWS root user has Virtual Multi-Factor Authentication device enabled, requiring them to enter a secondary code when they login to the web console.

    it { should have_virtual_mfa_enabled }

### have\_access\_key

The `have_access_key` matcher tests if the AWS root user has at least one access key.

    it { should have_access_key }

## AWS Permissions

Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetAccountSummary` action with Effect set to Allow.

You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).