aws_config_recorder Resource
Use the aws_config_recorder
InSpec audit resource to test properties of your AWS Config service.
The AWS Config service can monitor and record changes to your AWS resource configurations. The AWS Config recorder is used to detect changes in resource configurations and capture these changes as configuration items.
As of April 2018, you are only permitted one configuration recorder per region.
For additional information, including details on parameters and properties, see the AWS documentation on the AWS::Config::ConfigurationRecorder
resource.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_config_recorder
resource block declares the tests for a single AWS Config resource by recorder name.
describe aws_config_recorder('RECORDER_NAME') do
it { should exist }
end
You may also use hash syntax to pass the recorder name
describe aws_config_recorder(recorder_name: 'RECORDER_NAME') do
it { should exist }
end
Since you may only have one recorder per region, and InSpec connections are per-region, you may also omit the recorder name to obtain the one recorder (if any) that exists:
describe aws_config_recorder do
it { should exist }
end
Parameters
recorder_name
(optional)This resource accepts a single parameter, the Configuration recorder name. This can be passed either as a string or as a
recorder_name: 'value'
key-value entry in a hash.
Properties
recorder_name
- The name of the recorder. By default, AWS Config automatically assigns the name “default” when creating the configuration recorder. You cannot change the assigned name.
role_arn
- Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account.
resource_types
- A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (i.e. AWS::EC2::Instance).
last_status
- The last (previous) status of the recorder.
Examples
Test if the recorder is active and recording.
describe aws_config_recorder do
it { should be_recording }
end
Ensure the role_arn is correct for the recorder.
The role is used to grant permissions to S3 Buckets, SNS topics and to get configuration details for supported AWS resources.
describe aws_config_recorder do
its('role_arn') { should eq 'arn:aws:iam::721741954427:role/My_Recorder' }
end
Test the recorder is monitoring changes to the correct resources.
describe aws_config_recorder do
its('resource_types') { should include 'AWS::EC2::CustomerGateway' }
its('resource_types') { should include 'AWS::EC2::EIP' }
end
Test the recorder’s last status.
describe aws_config_recorder do
its('last_status') { should eq 'SUCCESS' }
end
Matchers
be_recording
Ensure the recorder is active
it { should be_recording }
be_recording_all_resource_types
Indicates if the configuration recorder will record changes for all resources, regardless of type. If this is true, resource_types is ignored.
it { should be_recording_all_resource_types }
be_recording_all_global_types
Indicates whether the configuration recorder will record changes for global resource types (such as Principals).
it { should be_recording_all_global_types }
AWS Permissions
Your Principal will need the ConfigService:Client:DescribeConfigurationRecordersResponse
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for AWS Config.