aws_iam_access_key Resource
Use the aws_iam_access_key
InSpec audit resource to test properties of a single AWS IAM Access Key.
For additional information, including details on parameters and properties, see the AWS documentation on IAM Access Keys.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
An aws_iam_access_key
resource allows the testing of a single AWS IAM Access Key.
describe aws_iam_access_key(access_key_id: 'AKIA1111111111111111') do
it { should exist }
end
Parameters
This resources requires either an access_key_id
or the IAM username
associated with the Access Key.
access_key_id
(required ifusername
not provided.)The Access Key ID which uniquely identifies the Key. Begins with the characters “AKIA”. This can be passed either as a string or as a
access_key_id: 'value'
key-value entry in a hash.username
(required ifaccess_key_id
not provided.)The IAM Username which is associated with the Access Key. This can be passed either as a string or as a
username: 'value'
key-value entry in a hash.
Properties
access_key_id
- The ID of the Access Key.
username
- The IAM Username which is associated with the Access Key.
status
- The status of the Access Key, e.g. “Active”.
create_date
- The creation date of the Access Key.
Examples
The following examples show how to use this InSpec audit resource.
Test that an IAM Access Key has been used in the last 90 days.
describe aws_iam_access_key(access_key_id: 'AKIA1111111111111111') do
it { should exist }
its('last_used_date') { should be > Time.now - 90 * 86400 }
end
Test that an IAM Access Key for a specific user exists.
describe aws_iam_access_key(username: 'psmith', id: 'AKIA1111111111111111') do
it { should exist }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
it { should exist }
it { should_not exist }
active
The active
matcher tests if the described IAM Access Key has a status of Active.
it { should be_active }
AWS Permissions
Your Principal will need the IAM:Client:GetAccessKeyLastUsedResponse
action with Effect
set to Allow
.
You can find detailed documentation at Amazon Route 53