Skip to main content

aws_iam_access_keys resource

[edit on GitHub]

Use the aws_iam_access_keys InSpec audit resource to test properties of some or all AWS IAM Access Keys.


An aws_iam_access_keys resource block returns all IAM Access Keys and allows the testing of that group of Access Keys.

  describe aws_iam_access_keys do
    it                    { should exist }
    its('access_key_ids') { should include 'AKIA1111111111111111' }


This resources accepts a single optional parameter, a Username for which to retrieve all Access Keys. If not provided, all Access Keys for all Users will be retrieved.

username (optional)

The IAM Username for which to retrieve the Access Keys. This can be passed either as a string or as a username: 'value' key-value entry in a hash.

See also the AWS documentation on IAM Access Keys.


access_key_idThe ID of the Access Key.
usernameThe IAM Username which is associated with the Access Key.
activeIndicates if the status of the Key is Active.
inactiveIndicates if the status of the Key is Inactive.
ever_usedIndicates if the Key has ever been used.
never_usedIndicates if the Key has never been used.
create_dateThe creation date of the Access Key.
created_days_agoHow many days ago the Access Key was created.
created_hours_agoHow many hours ago the Access Key was created.
created_with_userBoolean indicating if the Access Key was created with a User.
last_used_dateThe date the Access Key was last used.
last_used_hours_agoHow many hours ago the Key was last used.
last_used_days_agoHow many days ago the Key was last used.
user_created_dateThe date on which the associated User was created.
entriesProvides access to the raw results of the query, which can be treated as an array of hashes.


Test all Active keys

describe aws_iam_access_keys.where(active: true) do
  its('access_key_ids') { should include 'AKIA1111111111111111' }

Ensure a User has no Access Keys

describe aws_iam_access_keys.where(username: 'untrusted-account') do
  it { should_not exist }


For a full list of available matchers, please visit our matchers page.


The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

it { should exist }

it { should_not exist }

AWS Permissions

Your Principal will need the following permissions set to Allow: iam:GetUser iam:GetAccessKeyLastUsed iam:ListUsers iam:ListAccessKeys

Was this page helpful?


Search Results