aws_sns_subscription Resource
Use the aws_sns_subscription
InSpec audit resource to test detailed properties of a AWS SNS Subscription.
For additional information, including details on parameters and properties, see the AWS documentation on SNS.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_sns_subscription
resource block uses resource parameters to search for a SNS Subscription, and then tests that subscriptions properties. If no Subscriptions match, no error is raised, but the exists
matcher will return false
and all properties will be nil
.
describe aws_sns_subscription('arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6') do
it { should exist }
end
Parameters
subscription_arn
(required)This resource accepts a single parameter, the subscription_arn. This can be passed either as a string or as a
subscription_arn: 'value'
key-value entry in a hash.
Properties
arn
- The subscription’s ARN.
owner
- The subscription’s owner.
raw_message_delivery
- Indicates whether the subscription is raw or JSON.
topic_arn
- The ARN of the subscription’s topic.
protocol
- The subscription’s protocol.
confirmation_was_authenticated
- Indicates whether the subscription confirmation request was authenticated.
Examples
Inspect the endpoint.
describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
**If protocol is 'sms', this should be a phone number:.**
its('endpoint') { should cmp '+16105551234' }
**If protocol is 'email' or 'email-json', endpoint should be an email address.**
its('endpoint') { should cmp 'myemail@example.com' }
**If protocal is 'http', endpoint should be a URL beginning with 'https://'.**
its('endpoint') { should cmp 'https://www.exampleurl.com' }
**If the protocol is 'lambda', its endpoint should be the ARN of a AWS Lambda function.**
its('endpoint') { should cmp 'rn:aws:lambda:us-east-1:account-id:function:myfunction' }
end
Inspect the owners ID.
describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
its('owner') { should cmp '12345678' }
end
Inspect the endpoint.
describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
its('protocol') { should cmp 'sqs' }
end
Matchers
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
it { should exist }
it { should_not exist }
be_confirmation_authenticated
Provides whether or not the subscription confirmation request was authenticated.
describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6')
it { should be_confirmation_authenticated }
end
have_raw_message_delivery
Provides whether or not the original message is passed as is, not formatted as a json or yaml.
describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6')
it { should have_raw_message_delivery }
end
AWS Permissions
Your Principal will need the SNS:Client:GetSubscriptionAttributesResponse
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon SNS.