| title | platform |
|---|---|
About the aws_sts_caller_identity Resource |
aws |
Use the aws_sts_caller_identity InSpec audit resource to test properties of AWS IAM identity whose credentials are used in the current InSpec scan.
An aws_sts_caller_identity resource block may be used to perform tests on details of the AWS credentials being used in the current Inspec scan. You can also test if the credentials belong to a GovCloud account or not.
describe aws_sts_caller_identity do
it { should exist }
end
This resource does not expect any parameters.
| Property | Description |
|---|---|
| arn | The AWS ARN associated with the calling entity. |
| account | The AWS account ID number of the account that owns or contains the calling entity. |
| user_id | The unique identifier of the calling entity. |
For more info, see the API reference documentation
describe aws_sts_caller_identity do
its("arn") { should match "arn:aws:iam::.*:user/service-account-inspec" }
end
describe aws_sts_caller_identity do
it { should be_govcloud }
end
if aws_sts_caller_identity.govcloud?
describe 'Skipping Root User MFA check as we are on GovCloud' do
skip
end
else
describe aws_iam_root_user do
it { should have_mfa_enabled }
end
end
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
The be_govcloud matcher tests if the account is a 'GovCloud' AWS Account.
describe aws_sts_caller_identity do
it { should_not be_govcloud }
end