aws_iam_password_policy Resource
Use the aws_iam_password_policy
InSpec audit resource to test properties of an AWS IAM Password Policy.
For additional information, including details on parameters and properties, see the AWS documentation on Auto Scaling Group.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
An aws_iam_password_policy
resource block declares the tests for an AWS IAM Password Policy.
describe aws_iam_password_policy do
it { should exist }
end
Parameters
This resource does not require any parameters.
Properties
minimum_password_length
- The minimum character count of the password policy.
max_password_age_in_days
- Integer representing in days how long a password may last before expiring.
number_of_passwords_to_remember
- Number of previous passwords to remember.
Examples
Test that a Password Policy meets your company’s requirements.
describe aws_iam_password_policy do
it { should require_uppercase_characters }
it { should require_lowercase_characters }
it { should require_numbers }
its('minimum_password_length') { should be > 8 }
end
Test that users can change their own passwords .
describe aws_iam_password_policy do
it { should allow_users_to_change_password }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
exist
it { should exist }
prevent_password_reuse
it { should prevent_password_reuse }
expire_passwords
it { should expire_passwords }
require_numbers
it { should require_numbers }
require_symbols
it { should require_symbols }
require_lowercase_characters
it { should require_lowercase_characters }
require_uppercase_characters
it { should require_uppercase_characters}
allow_users_to_change_passwords
it { should allow_users_to_change_password }
All matchers can use the inverse should_not
predicate.
AWS Permissions
Your Principal will need the following permissions action set to allow: IAM:Client:GetAccountPasswordPolicyResponse
Was this page helpful?