No description
Find a file
2018-02-08 17:00:49 -05:00
docs/resources Merge branch 'cw/rename-resources' into core-onramp 2018-02-08 17:00:49 -05:00
libraries Merge branch 'cw/rename-resources' into core-onramp 2018-02-08 17:00:49 -05:00
test Merge branch 'cw/rename-resources' into core-onramp 2018-02-08 17:00:49 -05:00
.gitignore Use terraform environments to avoid integration test collisions 2017-05-06 14:14:53 -04:00
.rubocop.yml Update rubocop 0.44.0 -> 0.51.0 (#127) 2017-12-05 17:55:55 +01:00
.travis.yml initial commit 2016-12-15 09:53:01 +01:00
CONTRIBUTING.md initial commit 2016-12-15 09:53:01 +01:00
Gemfile Remove highline and nokogiri, and group test gems in Gemfile (#203) 2018-01-23 10:17:16 -05:00
inspec.yml initial commit 2016-12-15 09:53:01 +01:00
LICENSE initial commit 2016-12-15 09:53:01 +01:00
Rakefile Use train for AWS connection (#219) 2018-02-07 23:26:37 -05:00
README.md README clarifications about creating a profile that relies on the inspec-aws resource pack (#153) 2018-01-22 23:03:06 -05:00
TESTING_AGAINST_AWS.md Rework Integration Testing to Support Multiple Accounts (#128) 2017-12-15 01:37:36 -05:00

InSpec for AWS

Roadmap

This repository is the development repository for InSpec for AWS. Once RFC Platforms is fully implemented in InSpec, this repository is going to be merged into core InSpec.

As of now, AWS resources are implemented as an InSpec resource pack. It will ship with the required resources to write your own AWS tests.

├── README.md - this readme
└── libraries - contains AWS resources

Get started

Before running the profile with InSpec, define environment variables with your AWS region and credentials. InSpec supports the following standard AWS variables:

  • AWS_REGION
  • AWS_DEFAULT_REGION
  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_SESSION_TOKEN (optional)

Those variables are defined in AWS CLI Docs

Use the resources

Since this is a InSpec resource pack, it only defines InSpec resources. It includes example tests only. You can easily use the AWS InSpec resources in your tests do the following:

Create a new profile

inspec init profile my-profile

Adapt the inspec.yml

name: my-profile
title: My own AWS profile
version: 0.1.0
depends:
  - name: aws
    url: https://github.com/chef/inspec-aws/archive/master.tar.gz

Add controls

Since your profile depends on the resource pack, you can use those resources in your own profile:

control "aws-1" do
  impact 0.7
  title 'Checks the machine is running'

  describe aws_ec2_instance('my-ec2-machine') do
    it { should be_running }
  end
end

Running your profile

Then use inspec exec my-profile to execute your new profile.

Our future intent is to support an aws target for InSpec/Train, so you may also pass credentials inspec exec my-profile -t aws://accesskey:secret@region.

Available Resources

  • aws_ec2_instance - This resource reads information about an ec2 instance
  • aws_iam_access_key - Verifies settings for AWS IAM access keys
  • aws_iam_password_policy - Verifies iam password policy
  • aws_iam_root_user - Verifies settings for AWS root account
  • aws_iam_user - Verifies settings for a specific AWS IAM user
  • aws_iam_users - Verifies settings for AWS IAM users

Roadmap

  • aws_ami
  • aws_s3bucket
  • aws_security_group
  • aws_iam_group
  • aws_iam_policy
  • aws_iam_role

Developing and Testing the AWS Resources Pack

Unit tests

To execute the unit tests, run:

bundle exec rake test

Integration tests

Please see TESTING_AGAINST_AWS.md for details on how to setup the needed AWS accounts to perform testing.

Kudos

This project was inspired by inspec-aws from arothian.

License

Author: Christoph Hartmann (chris@lollyrock.com)
Copyright: Copyright (c) 2017 Chef Software Inc.
License: Apache License, Version 2.0

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.