---
title: About the aws_iam_users Resource
platform: aws
---

# aws\_iam\_users

Use the `aws_iam_users` InSpec audit resource to test properties of a all or multiple users.

To test properties of a single user, use the `aws_iam_user` resource.

To test properties of the special AWS root user (which owns the account), use the `aws_iam_root_user` resource.

<br>

## Syntax

An `aws_iam_users` resource block users a filter to select a group of users and then tests that group

    describe aws_iam_users.where(has_mfa_enabled?: false) do
      it { should_not exist }
    end

<br>

## Filter Criteria

* `has_mfa_enabled`, `has_console_password`, `password_ever_used?`, `password_never_used?`, `password_last_used_days_ago`, `username`

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that all users have Multi-Factor Authentication enabled

    describe aws_iam_users.where(has_mfa_enabled?: false) do
      it { should_not exist }
    end

### Test that at least one user has a console password to log into the AWS web console

    describe aws_iam_users.where(has_console_password?: true) do
      it { should exist }
    end

### Test that all users who have a console password have Multi-Factor Authentication enabled

    console_users_without_mfa = aws_iam_users
                                .where(has_console_password?: true)
                                .where(has_mfa_enabled?: false)

    describe console_users_without_mfa do
      it { should_not exist }
    end

### Test that all users who have a console password have used it at least once

    console_users_with_unused_password = aws_iam_users
                                         .where(has_console_password?: true)
                                         .where(password_never_used?: false)

    describe console_users_with_unused_password do
      it { should_not exist }
    end

### Test that at least one user exists who has a console password and has used it at least once

    console_users_with_used_password = aws_iam_users
                                       .where(has_console_password?: true)
                                       .where(password_ever_used?: false)

    describe console_users_with_used_password do
      it { should exist }
    end


### Test that users with passwords that have not been used for 90 days do not

    describe aws_iam_users.where { password_last_used_days_ago > 90 } do
      it { should_not exist }
    end

<br>

## Matchers

This InSpec audit resource has no specific matchers. 
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).