aws.iam
Supported platform
- aws
Description
AWS service to create and manage permissions for users and groups
Use the aws.iam resource to assess the configuration of the AWS IAM service. The resource provides a list of aws.iam.user resources representing GuardDuty Detectors deployed across all enabled regions.
Fields
| ID | TYPE | DESCRIPTION |
|---|---|---|
| users | []aws.iam.user | List of IAM users in the account |
| roles | []aws.iam.role | List of IAM roles in the account |
| groups | []aws.iam.group | List of IAM groups in the account |
| policies | []aws.iam.policy | List of IAM policies in the account |
| attachedPolicies | []aws.iam.policy | List of IAM policies attached to a user, role, or group |
| credentialReport | []aws.iam.usercredentialreportentry | IAM credential report |
| accountPasswordPolicy | dict | IAM account password policy for the account |
| accountSummary | map[string]int | IAM account summary |
| virtualMfaDevices | []aws.iam.virtualmfadevice | List of virtual mfs devices associated with the account |
| serverCertificates | []dict | List of server certificates stored in IAM |
| instanceProfiles | []aws.iam.instanceProfile |
Examples
Return a list of aws.iam.user resources representing IAM users in the account and specified fields
aws.iam.users {
users
roles
groups
policies
attachedPolicies
accountSummary
virtualMfaDevices
serverCertificates
}
Return a list of users that do not have MFA configured along with the ARN, name, and associated IAM Groups
aws.iam.credentialReport.where(mfaActive == false) {
user {
arn
name
groups
}
}
Do not setup access keys during initial user setup for all IAM users that have a console password
aws.iam.credentialReport.
where(
passwordEnabled &&
accessKey1Active &&
createdAt < time.today
).
all(
accessKey1LastUsedDate != null
)
References