aws_organizations_member Resource

Use the aws_organizations_member InSpec audit resource to test the current AWS Account being used within an organization.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_organizations_member resource block tests if the current AWS Account is the Master Account.

The master matcher will return true or false accordingly. You may also verify that the master_account_id and master_account_arn properties match known values.

If the current AWS Account is the Master Account, you may also access properties of that account.

describe aws_organizations_member do
    it { should exist }
end

Parameters

This resource does not require any parameters.

Properties

master_account_id

The ID of the AWS Organizations Master Account.

master_account_arn

The ARN of the AWS Organizations Master Account.

If the current Account is the Master Account, the following properties are also available:

Examples

Ensure you are a child account with a certain ID for the top level account.

describe aws_organizations_member do
  it                       { should_not be_master }
  its('master_account_id') { should cmp '56845218745' }
end

Ensure you are the top level account, with the right name and email associated.

describe aws_organizations_member do
  it                   { should be_master }
  its('account_name')  { should eq 'MyAWSMasterAccount' }
  its('account_email') { should eq 'aws.admin@org.com' }
end

Matchers

This resource has the following special matchers.

be_master

The be_master matcher tests if the account is a ‘master’ AWS Account.

it { should_not be_master }

exist

The control will pass if the describe returns at least one result.

it { should exist }