Skip to main content

aws.iam

Supported platform

  • aws

Description

AWS service to create and manage permissions for users and groups

Use the aws.iam resource to assess the configuration of the AWS IAM service. The resource provides a list of aws.iam.user resources representing GuardDuty Detectors deployed across all enabled regions.

Fields

IDTYPEDESCRIPTION
users[]aws.iam.userList of IAM users in the account
roles[]aws.iam.roleList of IAM roles in the account
groups[]aws.iam.groupList of IAM groups in the account
policies[]aws.iam.policyList of IAM policies in the account
attachedPolicies[]aws.iam.policyList of IAM policies attached to a user, role, or group
credentialReport[]aws.iam.usercredentialreportentryIAM credential report
accountPasswordPolicydictIAM account password policy for the account
accountSummarymap[string]intIAM account summary
virtualMfaDevices[]aws.iam.virtualmfadeviceList of virtual mfs devices associated with the account
serverCertificates[]dictList of server certificates stored in IAM
instanceProfiles[]aws.iam.instanceProfile

Examples

Return a list of aws.iam.user resources representing IAM users in the account and specified fields

aws.iam.users {
users
roles
groups
policies
attachedPolicies
accountSummary
virtualMfaDevices
serverCertificates
}

Return a list of users that do not have MFA configured along with the ARN, name, and associated IAM Groups

aws.iam.credentialReport.where(mfaActive == false) {
user {
arn
name
groups
}
}

Do not setup access keys during initial user setup for all IAM users that have a console password

aws.iam.credentialReport.
where(
passwordEnabled &&
accessKey1Active &&
userCreationTime < time.today
).
all(
accessKey1LastUsedDate != null
)

References