Skip to main content

aws.iam

Supported Platform

  • aws

Description

AWS service to create and manage permissions for users and groups

The aws.iam resource can be used to assess the configuration of the AWS IAM service. The resource provides a list of aws.iam.user resources representing GuardDuty Detectors deployed across all enabled regions.

Fields

IDTYPEDESCRIPTION
users[]aws.iam.userlist of iam users in the account
roles[]aws.iam.rolelist of iam roles in the account
groups[]aws.iam.grouplist of iam groups in the account
policies[]aws.iam.policylist of iam policies in the account
attachedPolicies[]aws.iam.policylist of iam policies attached to a user, role, or group
credentialReport[]aws.iam.usercredentialreportentryiam credential report
accountPasswordPolicydictiam account password policy for the account
accountSummarymap[string]intiam account summary
virtualMfaDevices[]aws.iam.virtualmfadevicelist of virtual mfs devices associated with the account
serverCertificates[]dictlist of server certificates stored in IAM

Examples

Return a list of aws.iam.user resources representing IAM users in the account and specified fields

aws.iam.users {
users
roles
groups
policies
attachedPolicies
accountSummary
virtualMfaDevices
serverCertificates
}

Return a list of users that do not have MFA configured along with the ARN, name, and associated IAM Groups

aws.iam.credentialReport.where(mfaActive == false) {
user {
arn
name
groups
}
}

Do not setup access keys during initial user setup for all IAM users that have a console password

aws.iam.credentialReport
.where(passwordEnabled && accessKey1Active && userCreationTime < time.today)
.all(accessKey1LastUsedDate != null);

References