aws_iam_password_policy

Use the aws_iam_password_policy InSpec audit resource to test properties of the AWS IAM Password Policy.


Availability

Installation

This resource is distributed along with InSpec itself. You can use it automatically.

Version

This resource first became available in v2.0.16 of InSpec.

Syntax

An aws_iam_password_policy resource block takes no parameters. Several properties and matchers are available.

describe aws_iam_password_policy do
  it { should require_lowercase_characters }
end


Properties

  • max_password_age_in_days, minimum_password_length, number_of_passwords_to_remember

Examples

The following examples show how to use this InSpec audit resource.

Test that the IAM Password Policy requires lowercase characters, uppercase characters, numbers, symbols, and a minimum length greater than eight

describe aws_iam_password_policy do
  it { should require_lowercase_characters }
  it { should require_uppercase_characters }
  it { should require_symbols }
  it { should require_numbers }
  its('minimum_password_length') { should be > 8 }
end

Test that the IAM Password Policy allows users to change their password

describe aws_iam_password_policy do
  it { should allow_users_to_change_passwords }
end

Test that the IAM Password Policy expires passwords

describe aws_iam_password_policy do
  it { should expire_passwords }
end

Test that the IAM Password Policy has a max password age

describe aws_iam_password_policy do
  its('max_password_age_in_days') { should be 90 }
end

Test that the IAM Password Policy prevents password reuse

describe aws_iam_password_policy do
  it { should prevent_password_reuse }
end

Test that the IAM Password Policy requires users to remember 3 previous passwords

describe aws_iam_password_policy do
  its('number_of_passwords_to_remember') { should eq 3 }
end


Matchers

This resource uses the following special matchers. For a full list of available matchers, please visit our matchers page.

  • allows_users_to_change_passwords, expire_passwords, prevent_password_reuse, require_lowercase_characters , require_uppercase_characters, require_numbers, require_symbols

AWS Permissions

Your Principal will need the iam:GetAccountPasswordPolicy action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.