Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
InSpec IAM control
# encoding: utf-8
# copyright: 2021, mk::labs
title 'general AWS IAM account best practices'
control 'All human users should have MFA enabled' do
impact 0.7
title 'Ensure there all human users have MFA enabled'
desc 'Ensure there all human users have MFA enabled'
tag "severity": 'high'
tag "check": "Review your AWS console and note if any IAM users do not
have MFA device enabled"
tag "fix": "Contact relevant user(s) so that they activate their MFA device"
exception_users_list = input('exception_users_list')
aws_iam_users.usernames.each do |user|
next if exception_users_list.include?(user)
describe aws_iam_user(user) do
it { should have_mfa_enabled }
end
end
describe aws_iam_root_user do
it { should have_mfa_enabled }
end
end
control 'Account should have a strong password policy set' do
impact 0.7
title 'Ensure that password policy is setup'
desc 'Ensure that password policy is setup'
tag "severity": 'high'
tag "check": "Review your AWS console and in IAM section check
if there is a password policy set"
tag "fix": "Configure an account password policy"
MIN_PASSWORD_LENGTH = input('min_password_length', value: 8)
describe aws_iam_password_policy do
it { should exist }
it { should require_uppercase_characters }
it { should require_lowercase_characters }
it { should require_numbers }
it { should require_symbols }
its('minimum_password_length') { should be >= MIN_PASSWORD_LENGTH }
it { should expire_passwords }
it { should allow_users_to_change_password }
it { should prevent_password_reuse }
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment