mirror of
https://github.com/inspec/inspec
synced 2024-11-24 05:33:17 +00:00
a359399fa0
Moved 2 space examples 2 more spaces in. Don't be shy, show the world your code the way it was meant to be seen. Underscores in markdown must be escaped otherwise the world goes crooked. Signed-off-by: Franklin Webber <franklin@chef.io>
144 lines
3.7 KiB
Text
144 lines
3.7 KiB
Text
---
|
|
title: About the aws_iam_policy Resource
|
|
platform: aws
|
|
---
|
|
|
|
# aws\_iam\_policy
|
|
|
|
Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy.
|
|
|
|
A policy is an entity in AWS that, when attached to an identity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine if the request is allowed or denied.
|
|
|
|
Each IAM Policy is uniquely identified by either its policy\_name or arn.
|
|
|
|
<br>
|
|
|
|
## Syntax
|
|
|
|
An `aws_iam_policy` resource block identifies a policy by policy name.
|
|
|
|
# Find a policy by name
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
it { should exist }
|
|
end
|
|
|
|
# Find a customer-managed by name
|
|
describe aws_iam_policy('customer-managed-policy') do
|
|
it { should exist }
|
|
end
|
|
|
|
# Hash syntax for policy name
|
|
describe aws_iam_policy(policy_name: 'AWSSupportAccess') do
|
|
it { should exist }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Examples
|
|
|
|
The following examples show how to use this InSpec audit resource.
|
|
|
|
### Test that a policy does exist
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
it { should exist }
|
|
end
|
|
|
|
### Test that a policy is attached to at least one entity
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
it { should be_attached }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Properties
|
|
|
|
* `arn`, `attachment_count`, `attached_groups`, `attached_roles`,`attached_users`, `default_version_id`
|
|
|
|
## Property Examples
|
|
|
|
### arn
|
|
|
|
"The ARN identifier of the specified policy. An ARN uniquely identifies the policy within AWS."
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
its('arn') { should cmp "arn:aws:iam::aws:policy/AWSSupportAccess" }
|
|
end
|
|
|
|
### attachment\_count
|
|
|
|
The count of attached entities for the specified policy.
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
its('attachment_count') { should cmp 1 }
|
|
end
|
|
|
|
### attached\_groups
|
|
|
|
The list of groupnames of the groups attached to the policy.
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
its('attached_groups') { should include "test-group" }
|
|
end
|
|
|
|
### attached\_roles
|
|
|
|
The list of rolenames of the roles attached to the policy.
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
its('attached_roles') { should include "test-role" }
|
|
end
|
|
|
|
### attached\_users
|
|
|
|
The list of usernames of the users attached to the policy.
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
its('attached_users') { should include "test-user" }
|
|
end
|
|
|
|
### default\_version\_id
|
|
|
|
The 'default_version_id' value of the specified policy.
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
its('default_version_id') { should cmp "v1" }
|
|
end
|
|
|
|
|
|
## Matchers
|
|
|
|
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
|
|
|
### be\_attached
|
|
|
|
The test will pass if the identified policy is attached to at least one IAM user, group, or role.
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
it { should be_attached }
|
|
end
|
|
|
|
### be\_attached\_to\_group(GROUPNAME)
|
|
|
|
The test will pass if the identified policy attached the specified group.
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
it { should be_attached_to_group(GROUPNAME) }
|
|
end
|
|
|
|
### be\_attached\_to\_user(USERNAME)
|
|
|
|
The test will pass if the identified policy attached the specified user.
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
it { should be_attached_to_user(USERNAME) }
|
|
end
|
|
|
|
### be\_attached\_to\_role(ROLENAME)
|
|
|
|
The test will pass if the identified policy attached the specified role.
|
|
|
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
it { should be_attached_to_role(ROLENAME) }
|
|
end
|