Skip to main content

aws_iam_users resource

[edit on GitHub]

Use the aws_iam_users InSpec audit resource to test properties of some or all AWS IAM Users.


An aws_iam_users resource block returns all IAM Users and allows the testing of that group of Users.

describe aws_iam_users do
  its('usernames') { should include 'payroll-admin' }


This resource does not expect any parameters.

See also the AWS documentation on IAM Users.


usernamesThe usernames of the returned Users.
user_arnsThe Amazon Resource Names of the returned Users.
user_idsThe IDs of the returned Users.
access_keysArray of Access Keys belonging to each User.
has_attached_policiesWhether or not the User has IAM Policies attached.
attached_policy_namesThe names (if any) of the IAM Policies attached to the User.
attached_policy_arnsThe Amazon Resource Names (if any) of the IAM Policies attached to the User.
has_console_passwordWhether or not the User has a console password set.
has_inline_policiesBoolean indicating whether or not the User has policies set directly on them.
inline_policy_namesThe names of the policies (if any) which are directly on the User.
has_mfa_enabledBoolean indicating whether the User has MFA enabled or not.
password_ever_used?Whether the user has even used their console password.
password_last_used_days_agoHow long ago, in days, since the user last used their console password. Returns -1 if the password has never been used.
entriesProvides access to the raw results of the query, which can be treated as an array of hashes.


Ensure there are no Users who do not have MFA enabled.

describe aws_iam_users.where( has_mfa_enabled: false) do
  it { should_not exist }

Ensure there are no Users with inline policies

describe aws_iam_users.where(has_inline_policies: true) do
  its('usernames') { should be_empty }

Ensure there are no Users with attached policies

describe aws_iam_users.where(has_attached_policies: true) do
  its('usernames') { should be_empty }


For a full list of available matchers, please visit our matchers page.


The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_iam_users.where( <property>: <value>) do
  it { should exist }

describe aws_iam_users.where( <property>: <value>) do
  it { should_not exist }

AWS Permissions

Your Principal will need the following permissions set to Allow: iam:GetLoginProfile iam:ListUsers iam:ListMFADevices iam:ListAccessKeys iam:ListUserPolicies iam:ListAttachedUserPolicies

Was this page helpful?


Search Results