Skip to main content

aws_iam_groups resource

Use the aws_iam_groups InSpec audit resource to test properties of a collection of IAM groups.

For additional information, including details on parameters and properties, see the AWS documentation on IAM Groups.

Syntax

An aws_iam_groups resource block identifies a group by group name.

describe aws_iam_groups('mygroup') do
  it { should exist }
end

Hash syntax for group name:

describe aws_iam_groups(group_name: 'mygroup') do
  it { should exist }
end

Parameters

This resource does not require any parameters.

Properties

group_names
The group name.
group_ids
The group ID.
arns
The Amazon Resource Name of the group.
users
Array of users associated with the group.
entries
Provides access to the raw results of the query, which can be treated as an array of hashes.
has_inline_policies
Boolean indicating whether or not the group has policies applied to it.
inline_policy_names
The names of the policies (if any) which are applied to the group.

Examples

Ensure group contains a certain user:

describe aws_iam_groups do
  it                 { should exist }
  its('group_names') { should include 'prod-access-group' }
end

Ensure there are no groups with inline policies:

describe aws_iam_groups.where(has_inline_policies: true) do
  its('group_names') { should be_empty }
end

Matchers

exist

The control will pass if a group with the given group name exists.

describe aws_iam_groups do
  it { should exist }
end

AWS Permissions

Your AWS principal will need the IAM:Client:ListGroupsResponse action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.

Thank you for your feedback!

×