mirror of
https://github.com/inspec/inspec
synced 2024-11-23 21:23:29 +00:00
2de06bdeb5
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
130 lines
4.3 KiB
Text
130 lines
4.3 KiB
Text
---
|
|
title: About the aws_iam_user Resource
|
|
platform: aws
|
|
---
|
|
|
|
# aws\_iam\_user
|
|
|
|
Use the `aws_iam_user` InSpec audit resource to test properties of a single AWS IAM user.
|
|
|
|
To test properties of more than one user, use the `aws_iam_users` resource.
|
|
|
|
To test properties of the special AWS root user (which owns the account), use the `aws_iam_root_user` resource.
|
|
|
|
<br>
|
|
|
|
## Availability
|
|
|
|
### Installation
|
|
|
|
This resource is distributed along with InSpec itself. You can use it automatically.
|
|
|
|
### Version
|
|
|
|
This resource first became available in v2.0.16 of InSpec.
|
|
|
|
## Resource Parameters
|
|
|
|
An `aws_iam_user` resource block declares a user by name, and then lists tests to be performed.
|
|
|
|
describe aws_iam_user(username: 'test_user') do
|
|
it { should exist }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Examples
|
|
|
|
The following examples show how to use this InSpec audit resource.
|
|
|
|
### Test that a user does not exist
|
|
|
|
describe aws_iam_user(username: 'gone') do
|
|
it { should_not exist }
|
|
end
|
|
|
|
### Test that a user has multi-factor authentication enabled
|
|
|
|
describe aws_iam_user(username: 'test_user') do
|
|
it { should have_mfa_enabled }
|
|
end
|
|
|
|
### Test that a service user does not have a password
|
|
|
|
describe aws_iam_user(username: 'test_user') do
|
|
it { should have_console_password }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Properties
|
|
|
|
### attached\_policy\_arns
|
|
|
|
Returns a list of IAM Managed Policy ARNs as strings that identify the policies that are attached to the user. If there are no attached policies, returns an empty list.
|
|
|
|
describe aws_iam_user('bob') do
|
|
# This is a customer-managed policy
|
|
its('attached_policy_arns') { should include 'arn:aws:iam::123456789012:policy/test-inline-policy-01' }
|
|
# This is an AWS-managed policy
|
|
its('attached_policy_arns') { should include 'arn:aws:iam::aws:policy/AlexaForBusinessGatewayExecution' }
|
|
end
|
|
|
|
### attached\_policy\_names
|
|
|
|
Returns a list of IAM Managed Policy Names as strings that identify the policies that are attached to the user. If there are no attached policies, returns an empty list.
|
|
|
|
describe aws_iam_user('bob') do
|
|
# This is a customer-managed policy
|
|
its('attached_policy_names') { should include 'test-inline-policy-01' }
|
|
# This is an AWS-managed policy
|
|
its('attached_policy_names') { should include 'AlexaForBusinessGatewayExecution' }
|
|
end
|
|
|
|
### inline\_policy\_names
|
|
|
|
Returns a list of IAM Inline Policy Names as strings that identify the inline policies that are directly embedded in the user. If there are no embedded policies, returns an empty list.
|
|
|
|
describe aws_iam_user('bob') do
|
|
its('inline_policy_names') { should include 'test-inline-policy-01' }
|
|
its('inline_policy_names.count') { should eq 1 }
|
|
end
|
|
|
|
|
|
## Matchers
|
|
|
|
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [universal matchers page](https://www.inspec.io/docs/reference/matchers/).
|
|
|
|
### have\_attached\_policies
|
|
|
|
The `have\_attached\_policies` matcher tests if the user has at least one IAM managed policy attached to the user.
|
|
|
|
describe aws_iam_user('bob') do
|
|
it { should_not have_attached_policies }
|
|
end
|
|
|
|
### have\_console\_password
|
|
|
|
The `have_console_password` matcher tests if the user has a password that could be used to log into the AWS web console.
|
|
|
|
it { should have_console_password }
|
|
|
|
### have\_inline\_policies
|
|
|
|
The `have\_inline\_policies` matcher tests if the user has at least one IAM policy embedded directly in the user record.
|
|
|
|
describe aws_iam_user('bob') do
|
|
it { should_not have_inline_policies }
|
|
end
|
|
|
|
### have\_mfa\_enabled
|
|
|
|
The `have_mfa_enabled` matcher tests if the user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.
|
|
|
|
it { should have_mfa_enabled }
|
|
|
|
## AWS Permissions
|
|
|
|
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetUser`, `iam:GetLoginProfile`, `iam:ListMFADevices`, `iam:ListAccessKeys`, `iam:ListUserPolicies`, and `iam:ListAttachedUserPolicies` actions set to allow.
|
|
|
|
You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).
|