title | platform |
---|---|
About the aws_iam_access_key Resource |
aws |
Use the aws_iam_access_key
InSpec audit resource to test properties of a single AWS IAM Access Key.
An aws_iam_access_key
resource allows the testing of a single AWS IAM Access Key.
describe aws_iam_access_key(access_key_id: 'AKIA1111111111111111') do
it { should exist }
end
This resources requires either an access_key_id
or the IAM username
associated with the Access Key.
The Access Key ID which uniquely identifies the Key. Begins with the characters "AKIA".
This can be passed either as a string or as a access_key_id: 'value'
key-value entry in a hash.
The IAM Username which is associated with the Access Key.
This can be passed either as a string or as a username: 'value'
key-value entry in a hash.
See also the AWS documentation on IAM Access Keys.
Property | Description |
---|---|
access_key_id | The ID of the Access Key. |
username | The IAM Username which is associated with the Access Key. |
status | The status of the Access Key, e.g. "Active". |
create_date | The creation date of the Access Key. |
The following examples show how to use this InSpec audit resource.
describe aws_iam_access_key(access_key_id: 'AKIA1111111111111111') do
it { should exist }
its('last_used_date') { should be > Time.now - 90 * 86400 }
end
describe aws_iam_access_key(username: 'psmith', id: 'AKIA1111111111111111') do
it { should exist }
end
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
it { should exist }
it { should_not exist }
The active
matcher tests if the described IAM Access Key has a status of Active.
it { should be_active }
Your Principal will need the following permissions action set to allow:
iam:ListAccessKeys
iam:GetAccessKeyLastUsed