aws_guardduty_detector Resource
Use the aws_guardduty_detector
InSpec audit resource to test properties of a single AWS GuardDuty Detector.
For additional information, including details on parameters and properties, see the Actions, Resources, and Condition Keys for Amazon GuardDuty.
For additional information, including details on parameters and properties, see the AWS documentation on GuardDuty Detectors.
Requirements
Train AWS version 0.1.18 or newer is required for this resource.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_guardduty_detector
resource block declares the tests for a single AWS GuardDuty Detector by detector id.
describe aws_guardduty_detector(detector_id: '12abc34d567e8fa901bc2d34e56789f0') do
it { should exist }
end
Parameters
detector_id
(required)This resource accepts a single parameter, the GuardDuty Detector ID. This can be passed either as a string or as a
detector_id: 'value'
key-value entry in a hash.
Properties
created_at
- The timestamp of when the detector was created.
data_sources
- An object that describes which data sources are enabled for the detector.
finding_publishing_frequency
- The publishing frequency of the finding.
service_role
- The GuardDuty service role.
status
- The detector status. Status should be either ENABLED or DISABLED.
tags
- The tags of the detector resource.
updated_at
- The last-updated timestamp for the detector.
There are also additional properties available. For a comprehensive list, see the API reference documentation
Examples
Check the publishing frequency of a Detector.
describe aws_guardduty_detector(detector_id: '12abc34d567e8fa901bc2d34e56789f0') do
its('finding_publishing_frequency') { should eq "SIX_HOURS" }
end
Matchers
For a full list of available matchers, see our Universal Matchers page.This resource has the following special matchers.
be_enabled
The be_enabled
matcher tests if the status of the detector is enabled.
describe aws_guardduty_detector(detector_id: 'detector-id-1234') do
it { should be_enabled }
end
describe aws_guardduty_detector(detector_id: 'detector-id-6789') do
it { should_not be_enabled }
end
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_guardduty_detector(detector_id: '12abc34d567e8fa901bc2d34e56789f0') do
it { should exist }
end
describe aws_guardduty_detector(detector_id: '809abz34d567e8fa91bc2d34e56789f5') do
it { should_not exist }
end
AWS Permissions
Your Principal will need the GuardDuty:Client:GetDetectorResponse
action with Effect
set to Allow
.