Skip to main content

aws_iam_group Resource

[edit on GitHub]

Use the aws_iam_group InSpec audit resource to test properties of a single IAM group.

For additional information, including details on parameters and properties, see the AWS documentation on IAM Groups.

Installation

This resource is available in the Chef InSpec AWS resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.

Syntax

An aws_iam_group resource block identifies a group by group name.

describe aws_iam_group('mygroup') do
  it { should exist }
end
# Hash syntax for group name
describe aws_iam_group(group_name: 'mygroup') do
  it { should exist }
end

Parameters

group_name (required)

This resource accepts a single parameter, the Group Name which uniquely identifies the IAM Group. This can be passed either as a string or as a group_name: 'value' key-value entry in a hash.

Properties

group_name
The group name.
group_id
The group ID.
arn
The Amazon Resource Name of the group.
users
Array of users associated with the group.
inline_policy_names
A list of inline policy names associated with the group.

Examples

Ensure group contains a certain user.

describe aws_iam_group('admin-group') do
  its('users') { should include 'deployment-service-account')}
end

Matchers

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_iam_group('AnExistingGroup') do
  it { should exist }
end
describe aws_iam_group('ANonExistentGroup') do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the IAM:Client:GetGroupResponse action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.

Was this page helpful?

×









Search Results