InSpec IAM control

aws_iam_inspec_control.rb

# encoding: utf-8
# copyright: 2021, mk::labs

title 'general AWS IAM account best practices'

control 'All human users should have MFA enabled' do
  impact 0.7
  title 'Ensure there all human users have MFA enabled'
  desc 'Ensure there all human users have MFA enabled'

  tag "severity": 'high'

  tag "check": "Review your AWS console and note if any IAM users do not
                have MFA device enabled"

  tag "fix": "Contact relevant user(s) so that they activate their MFA device"

  exception_users_list = input('exception_users_list')

  aws_iam_users.usernames.each do |user|
    next if exception_users_list.include?(user)

    describe aws_iam_user(user) do
      it { should have_mfa_enabled }
    end
  end

  describe aws_iam_root_user do
    it { should have_mfa_enabled }
  end

end

control 'Account should have a strong password policy set' do
  impact 0.7
  title 'Ensure that password policy is setup'
  desc 'Ensure that password policy is setup'

  tag "severity": 'high'

  tag "check": "Review your AWS console and in IAM section check
                if there is a password policy set"

  tag "fix": "Configure an account password policy"

  MIN_PASSWORD_LENGTH = input('min_password_length', value: 8)

  describe aws_iam_password_policy do
    it                             { should exist }
    it                             { should require_uppercase_characters }
    it                             { should require_lowercase_characters }
    it                             { should require_numbers }
    it                             { should require_symbols }
    its('minimum_password_length') { should be >= MIN_PASSWORD_LENGTH }
    it                             { should expire_passwords }
    it                             { should allow_users_to_change_password }
    it                             { should prevent_password_reuse }
  end

end