aws_iam_group Resource
Use the aws_iam_group
InSpec audit resource to test properties of a single IAM group.
For additional information, including details on parameters and properties, see the AWS documentation on IAM Groups.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
An aws_iam_group
resource block identifies a group by group name.
describe aws_iam_group('mygroup') do
it { should exist }
end
# Hash syntax for group name
describe aws_iam_group(group_name: 'mygroup') do
it { should exist }
end
Parameters
group_name
(required)This resource accepts a single parameter, the Group Name which uniquely identifies the IAM Group. This can be passed either as a string or as a
group_name: 'value'
key-value entry in a hash.
Properties
group_name
- The group name.
group_id
- The group ID.
arn
- The Amazon Resource Name of the group.
users
- Array of users associated with the group.
inline_policy_names
- A list of inline policy names associated with the group.
Examples
Ensure group contains a certain user.
describe aws_iam_group('admin-group') do
its('users') { should include 'deployment-service-account')}
end
Matchers
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_iam_group('AnExistingGroup') do
it { should exist }
end
describe aws_iam_group('ANonExistentGroup') do
it { should_not exist }
end
AWS Permissions
Your Principal will need the IAM:Client:GetGroupResponse
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.
Was this page helpful?