Skip to main content

aws_ebs_snapshots Resource

[edit on GitHub]

Use the aws_ebs_snapshots InSpec audit resource to test properties of a collection of AWS EBS Snapshots.

For additional information, including details on parameters and properties, see the AWS documentation on EBS Snapshots.

Installation

This resource is available in the Chef InSpec AWS resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.

Syntax

Ensure you have exactly 3 EBS Snapshots:

describe aws_ebs_snapshots do
  its('snapshot_ids.count') { should cmp 3 }
end

Parameters

This resource does not require any parameters.

Properties

snapshot_ids
An array of the unique IDs of the EBS Snapshots that are returned.
owner_ids
An array of AWS Account IDs of the owners of the EBS Snapshots that are returned.
encrypted
An array of booleans indicating whether the EBS Snapshots returned are encrypted.
tags
An array of hashes; each hash is a set of keys and values for tags for one of the EBS Snapshots returned, and may be empty.
entries
Provides access to the raw results of the query, which can be treated as an array of hashes.

Examples

Ensure a specific EBS Snapshot exists.

describe aws_ebs_snapshots do
  its('snapshot_ids') { should include 'SNAPSHOT_ID' }
end

Use the InSpec resource to request the IDs of all EBS Snapshots, then test in-depth using aws_ebs_snapshot to ensure all EBS Snapshots are encrypted and not public.

aws_ebs_snapshots.snapshot_ids.each do |snapshot_id|
  describe aws_ebs_snapshot(snapshot_id: snapshot_id) do
    it { should be_encrypted }
    it { should_not be_public }
  end
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exist

The control will pass if the describe returns at least one result.

describe aws_ebs_snapshots do
  it { should exist }
end

Use should_not to test the entity should not exist.

describe aws_ebs_snapshots do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the EC2:Client::DescribeSnapshotsResult action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.

Was this page helpful?

×









Search Results