Skip to main content

aws_iam_user resource

[edit on GitHub]

Use the aws_iam_user InSpec audit resource to test properties of a single AWS IAM User.


An aws_iam_user resource block declares the tests for a single AWS IAM User by user name.

describe aws_iam_user(user_name: 'psmith') do
  it { should exist }


user_name (required)

This resource accepts a single parameter, the User’s username which uniquely identifies the User. This can be passed either as a string or as a user_name: 'value' key-value entry in a hash.

See also the AWS documentation on IAM Users.


Property Description
username The user’s username.
user_id The user’s ID.
user_arn The Amazon Resource Name of the user.
access_keys An array of hashes each containing metadata about the user’s Access Keys.
inline_policy_names The names of policies directly attached to the user.
attached_policy_names The name of standalone IAM policies which are attached to the user.
attached_policy_arns The arns of the standalone IAM policies which are attached to the user.
  • has_mfa_enabled
  • has_console_password


The following examples show how to use this InSpec audit resource.

Test that an IAM user does not exist

describe aws_iam_user(user_name: 'invalid-user') do
  it { should_not exist }

Test that an IAM user has MFA enabled

describe aws_iam_user('psmith') do
  it { should exist }
  it { should have_mfa_enabled }

Ensure a User has no Access Keys or Inline Policies

describe aws_iam_user('psmith') do
  it                         { should exist }
  its('access_keys')         { should be_empty }
  its('inline_policy_names') { should be_empty }


This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.


The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

it { should exist }


This will check if the requested User has Multi Factor Authentication enabled.

it { should have_mfa_enabled }


This will ensure the User has a console password set.

it { should have_console_password }

AWS Permissions

Your Principal will need the following permissions action set to allow: iam:GetUser iam:GetLoginProfile iam:ListMFADevices iam:ListAccessKeys iam:ListUserPolicies iam:ListAttachedUserPolicies

Was this page helpful?


Search Results