aws_ebs_snapshots Resource
Use the aws_ebs_snapshots
InSpec audit resource to test properties of a collection of AWS EBS Snapshots.
For additional information, including details on parameters and properties, see the AWS documentation on EBS Snapshots.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
Ensure you have exactly 3 EBS Snapshots:
describe aws_ebs_snapshots do
its('snapshot_ids.count') { should cmp 3 }
end
Parameters
This resource does not require any parameters.
Properties
snapshot_ids
- An array of the unique IDs of the EBS Snapshots that are returned.
owner_ids
- An array of AWS Account IDs of the owners of the EBS Snapshots that are returned.
encrypted
- An array of booleans indicating whether the EBS Snapshots returned are encrypted.
tags
- An array of hashes; each hash is a set of keys and values for tags for one of the EBS Snapshots returned, and may be empty.
entries
- Provides access to the raw results of the query, which can be treated as an array of hashes.
Examples
Ensure a specific EBS Snapshot exists.
describe aws_ebs_snapshots do
its('snapshot_ids') { should include 'SNAPSHOT_ID' }
end
Use the InSpec resource to request the IDs of all EBS Snapshots, then test in-depth using aws_ebs_snapshot
to ensure all EBS Snapshots are encrypted and not public.
aws_ebs_snapshots.snapshot_ids.each do |snapshot_id|
describe aws_ebs_snapshot(snapshot_id: snapshot_id) do
it { should be_encrypted }
it { should_not be_public }
end
end
Matchers
For a full list of available matchers, see our Universal Matchers page.This resource has the following special matchers.
exist
The control will pass if the describe returns at least one result.
describe aws_ebs_snapshots do
it { should exist }
end
Use should_not
to test the entity should not exist.
describe aws_ebs_snapshots do
it { should_not exist }
end
AWS Permissions
Your Principal will need the EC2:Client::DescribeSnapshotsResult
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.