mirror of
https://github.com/inspec/inspec
synced 2024-12-18 00:53:22 +00:00
2de06bdeb5
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
99 lines
2.7 KiB
Text
99 lines
2.7 KiB
Text
---
|
|
title: About the aws_kms_keys Resource
|
|
platform: aws
|
|
---
|
|
|
|
# aws\_kms\_keys
|
|
|
|
Use the `aws_kms_keys` InSpec audit resource to test properties of some or all AWS KMS Keys.
|
|
|
|
AWS Key Management Service (KMS) is a managed service that makes creating and controlling your encryption keys for your data easier. KMS uses Hardware Security Modules (HSMs) to protect the security of your keys.
|
|
|
|
AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services.
|
|
|
|
Each AWS KMS Key is uniquely identified by its key-id or key-arn.
|
|
|
|
<br>
|
|
|
|
## Availability
|
|
|
|
### Installation
|
|
|
|
This resource is distributed along with InSpec itself. You can use it automatically.
|
|
|
|
### Version
|
|
|
|
This resource first became available in v2.0.16 of InSpec.
|
|
|
|
## Syntax
|
|
|
|
An `aws_kms_keys` resource block uses an optional filter to select a group of KMS Keys and then tests that group.
|
|
|
|
# Verify the number of KMS keys in the AWS account
|
|
describe aws_kms_keys do
|
|
its('entries.count') { should cmp 10 }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Examples
|
|
|
|
The following examples show how to use this InSpec audit resource.
|
|
|
|
As this is the initial release of `aws_kms_keys`, its limited functionality precludes examples.
|
|
|
|
<br>
|
|
|
|
## Properties
|
|
|
|
* `entries`, `key_arns`, `key_ids`
|
|
|
|
<br>
|
|
|
|
## Property Examples
|
|
|
|
### entries
|
|
|
|
Provides access to the raw results of a query. This can be useful for checking counts and other advanced operations.
|
|
|
|
# Allow at most 100 KMS Keys on the account
|
|
describe aws_kms_keys do
|
|
its('entries.count') { should be <= 100}
|
|
end
|
|
|
|
### key\_arns
|
|
|
|
Provides a list of key arns for all KMS Keys in the AWS account.
|
|
|
|
describe aws_kms_keys do
|
|
its('key_arns') { should include('arn:aws:kms:us-east-1::key/key-id') }
|
|
end
|
|
|
|
### key\_ids
|
|
|
|
Provides a list of key ids for all KMS Keys in the AWS account.
|
|
|
|
describe aws_kms_keys do
|
|
its('key_ids') { should include('fd7e608b-f435-4186-b8b5-111111111111') }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Matchers
|
|
|
|
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
|
|
|
### exists
|
|
|
|
The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
|
|
|
|
# Verify that at least one KMS Key exists.
|
|
describe aws_kms_keys
|
|
it { should exist }
|
|
end
|
|
|
|
## AWS Permissions
|
|
|
|
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `kms:ListKeys` action with Effect set to Allow.
|
|
|
|
You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html).
|