aws_sts_caller_identity Resource
Use the aws_sts_caller_identity
InSpec audit resource to test properties of AWS IAM identity whose credentials are used in the current InSpec scan.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
An aws_sts_caller_identity
resource block may be used to perform tests on details of the AWS credentials being used in the current Inspec scan. You can also test if the credentials belong to a GovCloud account or not.
describe aws_sts_caller_identity do
it { should exist }
end
Parameters
name
(required)This resource does not expect any parameters.
Properties
arn
- The AWS ARN associated with the calling entity.
account
- The AWS account ID number of the account that owns or contains the calling entity.
user_id
- The unique identifier of the calling entity.
For more info, see the API reference documentation
Examples
Check that the credentials used to run the scan is correct.
describe aws_sts_caller_identity do
its("arn") { should match "arn:aws:iam::.*:user/service-account-inspec" }
end
Test if the account belongs to GovCloud.
describe aws_sts_caller_identity do
it { should be_govcloud }
end
Skip a test if we are using GovCloud.
if aws_sts_caller_identity.govcloud?
describe 'Skipping Root User MFA check as we are on GovCloud' do
skip
end
else
describe aws_iam_root_user do
it { should have_mfa_enabled }
end
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
be_govcloud
The be_govcloud
matcher tests if the account is a ‘GovCloud’ AWS Account.
describe aws_sts_caller_identity do
it { should_not be_govcloud }
end
AWS Permissions
Your Principal will need the STS:Client:GetCallerIdentityResponse
action with Effect
set to Allow
.