Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-14 00:47:10 +00:00
Code Issues Projects Releases Packages Wiki Activity
inspec/docs/resources/aws_iam_user.md.erb
Clinton Wolfe 2de06bdeb5 Clean injection of Availability section (#3206) 
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
2018-08-09 08:34:49 -04:00

130 lines
4.3 KiB
Text
Raw Blame History

---
title: About the aws_iam_user Resource
platform: aws
---
# aws\_iam\_user
Use the `aws_iam_user` InSpec audit resource to test properties of a single AWS IAM user.
To test properties of more than one user, use the `aws_iam_users` resource.
To test properties of the special AWS root user (which owns the account), use the `aws_iam_root_user` resource.
<br>
## Availability
### Installation
This resource is distributed along with InSpec itself. You can use it automatically.
### Version
This resource first became available in v2.0.16 of InSpec.
## Resource Parameters
An `aws_iam_user` resource block declares a user by name, and then lists tests to be performed.
describe aws_iam_user(username: 'test_user') do
it { should exist }
end
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test that a user does not exist
describe aws_iam_user(username: 'gone') do
it { should_not exist }
end
### Test that a user has multi-factor authentication enabled
describe aws_iam_user(username: 'test_user') do
it { should have_mfa_enabled }
end
### Test that a service user does not have a password
describe aws_iam_user(username: 'test_user') do
it { should have_console_password }
end
<br>
## Properties
### attached\_policy\_arns
Returns a list of IAM Managed Policy ARNs as strings that identify the policies that are attached to the user. If there are no attached policies, returns an empty list.
describe aws_iam_user('bob') do
# This is a customer-managed policy
its('attached_policy_arns') { should include 'arn:aws:iam::123456789012:policy/test-inline-policy-01' }
# This is an AWS-managed policy
its('attached_policy_arns') { should include 'arn:aws:iam::aws:policy/AlexaForBusinessGatewayExecution' }
end
### attached\_policy\_names
Returns a list of IAM Managed Policy Names as strings that identify the policies that are attached to the user. If there are no attached policies, returns an empty list.
describe aws_iam_user('bob') do
# This is a customer-managed policy
its('attached_policy_names') { should include 'test-inline-policy-01' }
# This is an AWS-managed policy
its('attached_policy_names') { should include 'AlexaForBusinessGatewayExecution' }
end
### inline\_policy\_names
Returns a list of IAM Inline Policy Names as strings that identify the inline policies that are directly embedded in the user. If there are no embedded policies, returns an empty list.
describe aws_iam_user('bob') do
its('inline_policy_names') { should include 'test-inline-policy-01' }
its('inline_policy_names.count') { should eq 1 }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [universal matchers page](https://www.inspec.io/docs/reference/matchers/).
### have\_attached\_policies
The `have\_attached\_policies` matcher tests if the user has at least one IAM managed policy attached to the user.
describe aws_iam_user('bob') do
it { should_not have_attached_policies }
end
### have\_console\_password
The `have_console_password` matcher tests if the user has a password that could be used to log into the AWS web console.
it { should have_console_password }
### have\_inline\_policies
The `have\_inline\_policies` matcher tests if the user has at least one IAM policy embedded directly in the user record.
describe aws_iam_user('bob') do
it { should_not have_inline_policies }
end
### have\_mfa\_enabled
The `have_mfa_enabled` matcher tests if the user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.
it { should have_mfa_enabled }
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetUser`, `iam:GetLoginProfile`, `iam:ListMFADevices`, `iam:ListAccessKeys`, `iam:ListUserPolicies`, and `iam:ListAttachedUserPolicies` actions set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).
Reference in a new issue View git blame Copy permalink