mirror of
https://github.com/inspec/inspec
synced 2025-02-17 14:38:43 +00:00
27203110cd
* Add AWS hardware MFA matcher Adding a hardware as well as a virtual MFA matcher for aws_iam_root_user resource * Add New AWS Root Matcher Docs - Add documentation for new root MFA matchers - Fix logic for checking MFA devices from feedback on PR * Add Integration tests for MFA matchers - Add integration tests for virtual and hardware MFA matchers - Clean up logic for has_virtual_mfa_enabled? method Signed-off-by: Paul Welch <pwelch@chef.io>
70 lines
2 KiB
Text
70 lines
2 KiB
Text
---
|
|
title: About the aws_iam_root_user Resource
|
|
platform: aws
|
|
---
|
|
|
|
# aws\_iam\_root\_user
|
|
|
|
Use the `aws_iam_root_user` InSpec audit resource to test properties of the root user (owner of the account).
|
|
|
|
To test properties of all or multiple users, use the `aws_iam_users` resource.
|
|
|
|
To test properties of a specific AWS user use the `aws_iam_user` resource.
|
|
|
|
<br>
|
|
|
|
## Syntax
|
|
|
|
An `aws_iam_root_user` resource block requires no parameters but has several matchers
|
|
|
|
describe aws_iam_root_user do
|
|
its { should have_mfa_enabled }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Examples
|
|
|
|
The following examples show how to use this InSpec audit resource.
|
|
|
|
### Test that the AWS root account has at-least one access key
|
|
|
|
describe aws_iam_root_user do
|
|
it { should have_access_key }
|
|
end
|
|
|
|
### Test that the AWS root account has Multi-Factor Authentication enabled
|
|
|
|
describe aws_iam_root_user do
|
|
it { should have_mfa_enabled }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Matchers
|
|
|
|
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
|
|
|
### have\_mfa\_enabled
|
|
|
|
The `have_mfa_enabled` matcher tests if the AWS root user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.
|
|
|
|
it { should have_mfa_enabled }
|
|
|
|
### have\_hardware\_mfa\_enabled
|
|
|
|
The `have_hardware_mfa_enabled` matcher tests if the AWS root user has Hardware Multi-Factor Authentication device enabled, requiring them to enter a secondary code when they login to the web console.
|
|
|
|
it { should have_hardware_mfa_enabled }
|
|
|
|
### have\_virtual\_mfa\_enabled
|
|
|
|
The `have_virtual_mfa_enabled` matcher tests if the AWS root user has Virtual Multi-Factor Authentication device enabled, requiring them to enter a secondary code when they login to the web console.
|
|
|
|
it { should have_virtual_mfa_enabled }
|
|
|
|
### have\_access\_key
|
|
|
|
The `have_access_key` matcher tests if the AWS root user has at least one access key.
|
|
|
|
it { should have_access_key }
|