Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
4.9 KiB
title |
---|
About the aws_iam_access_keys Resource |
aws_iam_access_keys
Use the aws_iam_access_keys
InSpec audit resource to test properties of some or all IAM Access Keys.
To test properties of a single Access Key, use the aws_iam_access_key
resource instead.
To test properties of an individual user's access keys, use the aws_iam_user
resource.
Access Keys are closely related to AWS User resources. Use this resource to perform audits of all keys or of keys specified by criteria unrelated to any particular user.
Syntax
An aws_iam_access_keys
resource block uses an optional filter to select a group of access keys and then tests that group.
# Do not allow any access keys
describe aws_iam_access_keys do
it { should_not exist }
end
# Don't let fred have access keys, using filter argument syntax
describe aws_iam_access_keys.where(username: 'fred') do
it { should_not exist }
end
# Don't let fred have access keys, using filter block syntax (most flexible)
describe aws_iam_access_keys.where { username == 'fred' } do
it { should_not exist }
end
Examples
The following examples show how to use this InSpec audit resource.
Disallow access keys created more than 90 days ago
describe aws_iam_access_keys.where { created_age > 90 } do
it { should_not exist }
end
Matchers
exists
The control will pass if the filter returns at least one result. Use should_not if you expect zero matches.
# Sally should have at least one access key
describe aws_iam_access_keys.where(username: 'sally') do
it { should exist }
end
# Don't let fred have access keys
describe aws_iam_access_keys.where(username: 'fred') do
it { should_not exist }
end
Filter Criteria
active
A true / false value indicating if an Access Key is currently "Active" (the normal state) in the AWS console. See also: inactive
.
# Check whether a particular key is enabled
describe aws_iam_access_keys.where { active } do
its('access_key_ids') { should include('AKIA1234567890ABCDEF')}
end
created_date
A DateTime identifying when the Access Key was created. See also created_days_ago
and created_hours_ago
.
# Detect keys older than 2017
describe aws_iam_access_keys.where { created_date < DateTime.parse('2017-01-01') } do
it { should_not exist }
end
created_days_ago, created_hours_ago
An integer, representing how old the access key is.
# Don't allow keys that are older than 90 days
describe aws_iam_access_keys.where { created_days_ago > 90 } do
it { should_not exist }
end
ever_used
A true / false value indicating if the Access Key has ever been used, based on the last_used_date. See also: never_used
.
# Check to see if a particular key has ever been used
describe aws_iam_access_keys.where { ever_used } do
its('access_key_ids') { should include('AKIA1234567890ABCDEF')}
end
inactive
A true / false value indicating if the Access Key has been marked Inactive in the AWS console. See also: active
.
# Don't leave inactive keys laying around
describe aws_iam_access_keys.where { inactive } do
it { should_not exist }
end
last_used_date
A DateTime identifying when the Access Key was last used. Returns nil if the key has never been used. See also: ever_used
, last_used_days_ago
, last_used_hours_ago
, and never_used
.
# No one should do anything on Mondays
describe aws_iam_access_keys.where { ever_used and last_used_date.monday? } do
it { should_not exist }
end
last_used_days_ago, last_used_hours_ago
An integer representing when the key was last used. See also: ever_used
, last_used_date
, and never_used
.
# Don't allow keys that sit unused for more than 90 days
describe aws_iam_access_keys.where { last_used_days_ago > 90 } do
it { should_not exist }
end
never_used
A true / false value indicating if the Access Key has never been used, based on the last_used_date. See also: ever_used
.
# Don't allow unused keys to lay around
describe aws_iam_access_keys.where { never_used } do
it { should_not exist }
end
username
Searches for access keys owned by the named user. Each user may have zero, one, or two access keys.
describe aws_iam_access_keys(username: 'bob') do
it { should exist }
end
Properties
access_key_ids
Provides a list of all access key IDs matched.
describe aws_iam_access_keys do
its('access_key_ids') { should include('AKIA1234567890ABCDEF') }
end
entries
Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
# Allow at most 100 access keys on the account
describe aws_iam_access_keys do
its('entries.count') { should be <= 100}
end