aws_iam_policies

Use the aws_iam_policies InSpec audit resource to test properties of some or all AWS IAM Policies.

A policy is an entity in AWS that, when attached to an identity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine if the request is allowed or denied.

Each IAM Policy is uniquely identified by either its policy_name or arn.


Availability

Installation

This resource is distributed along with InSpec itself. You can use it automatically.

Version

This resource first became available in v2.0.16 of InSpec.

Syntax

An aws_iam_policies resource block collects a group of IAM Policies and then tests that group.

# Verify the policy specified by the policy name is included in IAM Policies in the AWS account.
describe aws_iam_policies do
  its('policy_names') { should include('test-policy-1') }
end


Examples

The following examples show how to use this InSpec audit resource.

As this is the initial release of aws_iam_policies, its limited functionality precludes examples.


Properties

  • arns, entries, policy_names


Property Examples

policy_names

Provides a list of policy names for all IAM Policies in the AWS account.

describe aws_iam_policies do
  its('policy_names') { should include('test-policy-1') }
end

arns

Provides a list of policy arns for all IAM Policies in the AWS account.

describe aws_iam_policies do
  its('arns') { should include('arn:aws:iam::aws:policy/test-policy-1') }
end

entries

Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.

# Allow at most 100 IAM Policies on the account
describe aws_iam_policies do
  its('entries.count') { should be <= 100}
end


Matchers

For a full list of available matchers, please visit our matchers page.

exists

The control will pass if the filter returns at least one result. Use should_not if you expect zero matches.

# Verify that at least one IAM Policies exists.
describe aws_iam_policies
  it { should exist }
end

AWS Permissions

Your Principal will need the iam:ListPolicies action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.