With Terraform for AWS, you can collect evidence from hundreds of different data sources within your AWS infrastructure. In this article, we’ll look at how you can collect evidence from IAM for common evidence objects:

Make sure that you have a Terraform for AWS integration configured. The IAM Role used to configure the integration will need Policy permissions for read-only access to IAM resources.

IAM Groups

While not required, it’s best practice to use IAM Groups to organize your IAM roles. This makes it much easier to collect only the IAM roles required for each evidence item listed above.

Navigate to the Strike Graph evidence item that you would like to collect evidence for, and select “Automated Collection” as your attachment method. If the evidence item already has an effective attachment, but you would like to configure it for automated collection, you can add Automated Collection from the “more” menu in the top left.

In the attachment window, click on the “Integrations” tab and select your configured Terraform for AWS integration.

Using IAM Groups is especially helpful for showing that you have logical separation of access and permissions in your system environments. Since IAM roles can exist in multiple groups, you may want to configure many groups to cover the different evidence requirements for your compliance program.

Find more information on other ways to use aws_iam_group, reference this Terraform documentation.

Select the AWS region of your production environment.

Here we will be using the aws_iam_group data source to collect a list of users who are assigned to a particular group.

Data source: aws_iam_group

Temp name: a short logical name for the attachment file

Query constraints: group_name: “an_example_group_name”

Put together data_source and temp_name from above and append with `data` in the following format: `data.data_source.temp_name`

With this data source, we expect to get a list of all the IAM roles assigned to that group.

If you cannot use IAM Groups, or you need a list of all users, you can produce a full list using the aws_iam_users data source.

Find more information on other ways to use aws_iam_users, reference this Terraform documentation.

Select the AWS region of your production environment.

Here we will be using the aws_iam_users to collect a list of users.

Data source: aws_iam_users

Temp name: a short logical name for the attachment file

Query constraints [optional]: For all IAM roles, this can be left blank. For more query constraint options, refer to the Terraform documentation for regex and other filtering options.

Put together data_source and temp_name from above and append with `data` in the following format: `data.data_source.temp_name`

You also have the option here of filtering the data down even further by defining a single data attribute that you would like to include. In the example above, we’re filtering to only show the ARN values for each user. `names` is also an option for this data source.

With this data source, we expect to get a list of all the ARNs associated with all IAM users in the production environment.