1.7 KiB
| title | platform |
|---|---|
| About the aws_iam_user Resource | aws |
aws_iam_user
Use the aws_iam_user InSpec audit resource to test properties of a single AWS IAM user.
To test properties of more than one user, use the aws_iam_users resource.
To test properties of the special AWS root user (which owns the account), use the aws_iam_root_user resource.
Syntax
An aws_iam_user resource block declares a user by name, and then lists tests to be performed.
describe aws_iam_user(name: 'test_user') do
it { should exist }
end
Examples
The following examples show how to use this InSpec audit resource.
Test that a user does not exist
describe aws_iam_user(name: 'gone') do
it { should_not exist }
end
Test that a user has multi-factor authentication enabled
describe aws_iam_user(name: 'test_user') do
it { should have_mfa_enabled }
end
Test that a service user does not have a password
describe aws_iam_user(name: 'test_user') do
it { should have_console_password }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our matchers page.
have_console_password
The have_console_password matcher tests if the user has a password that could be used to log into the AWS web console.
it { should have_console_password }
have_mfa_enabled
The have_mfa_enabled matcher tests if the user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.
it { should have_mfa_enabled }