inspec 2.1.21 → 2.1.30

data/docs/resources/aws_kms_keys.md.erb

@@ -1,84 +1,84 @@
----
-title: About the aws_kms_keys Resource
-platform: aws
----
-
-# aws\_kms\_keys
-
-Use the `aws_kms_keys` InSpec audit resource to test properties of some or all AWS KMS Keys.
-
-AWS Key Management Service (KMS) is a managed service that makes creating and controlling your encryption keys for your data easier. KMS uses Hardware Security Modules (HSMs) to protect the security of your keys. 
-
-AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services.
-
-Each AWS KMS Key is uniquely identified by its key-id or key-arn.
-
-<br>
-
-## Syntax
-
-An `aws_kms_keys` resource block uses an optional filter to select a group of KMS Keys and then tests that group.
-
-    # Verify the number of KMS keys in the AWS account
-    describe aws_kms_keys do
-      its('entries.count') { should cmp 10 }
-    end
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-As this is the initial release of `aws_kms_keys`, its limited functionality precludes examples.
-
-<br>
-
-## Properties
-
-* `entries`, `key_arns`, `key_ids`
-
-<br>
-
-## Property Examples
-
-### entries
-
-Provides access to the raw results of a query. This can be useful for checking counts and other advanced operations.
-
-    # Allow at most 100 KMS Keys on the account
-    describe aws_kms_keys do
-      its('entries.count') { should be <= 100}
-    end
-
-### key\_arns
-
-Provides a list of key arns for all KMS Keys in the AWS account.
-
-    describe aws_kms_keys do
-      its('key_arns') { should include('arn:aws:kms:us-east-1::key/key-id') }
-    end
-
-### key\_ids
-
-Provides a list of key ids for all KMS Keys in the AWS account.
-
-    describe aws_kms_keys do
-      its('key_ids') { should include('fd7e608b-f435-4186-b8b5-111111111111') }
-    end
-
-<br>
-
-## Matchers
-
-This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### exists
-
-The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
-
-    # Verify that at least one KMS Key exists.
-    describe aws_kms_keys
-      it { should exist }
-    end   
-
+---
+title: About the aws_kms_keys Resource
+platform: aws
+---
+
+# aws\_kms\_keys
+
+Use the `aws_kms_keys` InSpec audit resource to test properties of some or all AWS KMS Keys.
+
+AWS Key Management Service (KMS) is a managed service that makes creating and controlling your encryption keys for your data easier. KMS uses Hardware Security Modules (HSMs) to protect the security of your keys. 
+
+AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services.
+
+Each AWS KMS Key is uniquely identified by its key-id or key-arn.
+
+<br>
+
+## Syntax
+
+An `aws_kms_keys` resource block uses an optional filter to select a group of KMS Keys and then tests that group.
+
+    # Verify the number of KMS keys in the AWS account
+    describe aws_kms_keys do
+      its('entries.count') { should cmp 10 }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+As this is the initial release of `aws_kms_keys`, its limited functionality precludes examples.
+
+<br>
+
+## Properties
+
+* `entries`, `key_arns`, `key_ids`
+
+<br>
+
+## Property Examples
+
+### entries
+
+Provides access to the raw results of a query. This can be useful for checking counts and other advanced operations.
+
+    # Allow at most 100 KMS Keys on the account
+    describe aws_kms_keys do
+      its('entries.count') { should be <= 100}
+    end
+
+### key\_arns
+
+Provides a list of key arns for all KMS Keys in the AWS account.
+
+    describe aws_kms_keys do
+      its('key_arns') { should include('arn:aws:kms:us-east-1::key/key-id') }
+    end
+
+### key\_ids
+
+Provides a list of key ids for all KMS Keys in the AWS account.
+
+    describe aws_kms_keys do
+      its('key_ids') { should include('fd7e608b-f435-4186-b8b5-111111111111') }
+    end
+
+<br>
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### exists
+
+The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
+
+    # Verify that at least one KMS Key exists.
+    describe aws_kms_keys
+      it { should exist }
+    end   
+

data/docs/resources/aws_rds_instance.md.erb

@@ -1,60 +1,60 @@
----
-title: About the aws_rds_instance Resource
----
-
-# aws\_rds\_instance
-
-Use the `aws_rds_instance` InSpec audit resource to test detailed properties of an individual RDS instance.
-
-RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server.
-
-<br>
-
-## Syntax
-
-An `aws_rds_instance` resource block uses resource parameters to search for an RDS instance, and then tests that RDS instance.  If no RDS instances match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`.  If more than one RDS instance matches (due to vague search parameters), an error is raised.
-
-    # Ensure you have a RDS instance with a certain ID
-    # This is "safe" - RDS IDs are unique within an account
-    describe aws_rds_instance('test-instance-id') do
-      it { should exist }
-    end
-
-    # Ensure you have a RDS instance with a certain ID
-    # This uses hash syntax
-    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
-      it { should exist }
-    end
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-As this is the initial release of `aws_rds_instance`, its limited functionality precludes examples.
-
-<br>
-
-## Resource Parameters
-
-This InSpec resource accepts the following parameters, which are used to search for the RDS instance.
-
-### exists
-
-The control will pass if the specified RDS instance was found.  Use should_not if you want to verify that the specified RDS instance does not exist.
-
-    # Using Hash syntax
-    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
-      it { should exist }
-    end
-
-    # Using the instance id directly from the terraform file
-    describe aws_rds_instance(fixtures['rds_db_instance_id']) do
-      it { should exist }
-    end
-
-    # Make sure we don't have any RDS instances with the name 'nogood'
-    describe aws_rds_instance('nogood') do
-      it { should_not exist }
-    end
+---
+title: About the aws_rds_instance Resource
+---
+
+# aws\_rds\_instance
+
+Use the `aws_rds_instance` InSpec audit resource to test detailed properties of an individual RDS instance.
+
+RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server.
+
+<br>
+
+## Syntax
+
+An `aws_rds_instance` resource block uses resource parameters to search for an RDS instance, and then tests that RDS instance.  If no RDS instances match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`.  If more than one RDS instance matches (due to vague search parameters), an error is raised.
+
+    # Ensure you have a RDS instance with a certain ID
+    # This is "safe" - RDS IDs are unique within an account
+    describe aws_rds_instance('test-instance-id') do
+      it { should exist }
+    end
+
+    # Ensure you have a RDS instance with a certain ID
+    # This uses hash syntax
+    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
+      it { should exist }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+As this is the initial release of `aws_rds_instance`, its limited functionality precludes examples.
+
+<br>
+
+## Resource Parameters
+
+This InSpec resource accepts the following parameters, which are used to search for the RDS instance.
+
+### exists
+
+The control will pass if the specified RDS instance was found.  Use should_not if you want to verify that the specified RDS instance does not exist.
+
+    # Using Hash syntax
+    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
+      it { should exist }
+    end
+
+    # Using the instance id directly from the terraform file
+    describe aws_rds_instance(fixtures['rds_db_instance_id']) do
+      it { should exist }
+    end
+
+    # Make sure we don't have any RDS instances with the name 'nogood'
+    describe aws_rds_instance('nogood') do
+      it { should_not exist }
+    end

data/docs/resources/aws_route_table.md.erb

@@ -1,47 +1,47 @@
----
-title: About the aws_route_table Resource
-platform: aws
----
-
-# aws\_route\_table
-
-Use the `aws_route_table` InSpec audit resource to test properties of a single Route Table. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
-
-<br>
-
-## Syntax
-
-    # Ensure that a certain route table exists by name
-    describe aws_route_table('rtb-123abcde') do
-      it { should exist }
-    end
-
-## Resource Parameters
-
-### route\_table\_id
-
-This resource expects a single parameter that uniquely identifies the Route Table. You may pass it as a string, or as the value in a hash:
-
-    describe aws_route_table('rtb-123abcde') do
-      it { should exist }
-    end
-    # Same
-    describe aws_route_table(route_table_id: 'rtb-123abcde') do
-      it { should exist }
-    end
-
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### exist
-
-Indicates that the Route Table provided was found.  Use `should_not` to test for Route Tables that should not exist.
-
-    describe aws_route_table('should-be-there') do
-      it { should exist }
-    end
-
-    describe aws_route_table('should-not-be-there') do
-      it { should_not exist }
-    end
+---
+title: About the aws_route_table Resource
+platform: aws
+---
+
+# aws\_route\_table
+
+Use the `aws_route_table` InSpec audit resource to test properties of a single Route Table. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
+
+<br>
+
+## Syntax
+
+    # Ensure that a certain route table exists by name
+    describe aws_route_table('rtb-123abcde') do
+      it { should exist }
+    end
+
+## Resource Parameters
+
+### route\_table\_id
+
+This resource expects a single parameter that uniquely identifies the Route Table. You may pass it as a string, or as the value in a hash:
+
+    describe aws_route_table('rtb-123abcde') do
+      it { should exist }
+    end
+    # Same
+    describe aws_route_table(route_table_id: 'rtb-123abcde') do
+      it { should exist }
+    end
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### exist
+
+Indicates that the Route Table provided was found.  Use `should_not` to test for Route Tables that should not exist.
+
+    describe aws_route_table('should-be-there') do
+      it { should exist }
+    end
+
+    describe aws_route_table('should-not-be-there') do
+      it { should_not exist }
+    end

data/docs/resources/aws_route_tables.md.erb

@@ -0,0 +1,49 @@
+---
+title: About the aws_route_tables Resource
+---
+
+# aws\_route\_table
+
+Use the `aws_route_tables` InSpec audit resource to test properties of all or a group of Route Tables. A Route Table contains a set of rules, called routes, that are used to determine where network traffic is directed.
+
+<br>
+
+## Syntax
+
+  # Ensure that there is at least one route table
+  describe aws_route_tables do
+    it { should exist }
+  end
+
+## Matchers
+
+### exist
+
+Indicates that at least one Route Table was found.  Use should_not to test that no Route Tables should exist.
+
+    describe aws_route_tables do
+      it { should exist }
+    end
+
+    describe aws_route_tables do
+      it { should_not exist }
+    end
+
+## Properties
+
+### vpc\_ids
+
+Lists all VPCs that are in the Route Tables.
+
+    describe aws_route_tables do
+      its('vpc_ids') { should include 'vpc_12345678' }
+    end
+
+
+### route\_table\_ids
+
+Lists all of the Route Table IDs.
+
+    describe aws_route_tables do
+      its('route_table_ids') { should include 'rtb-12345678' }
+    end

data/docs/resources/aws_s3_bucket.md.erb

@@ -1,134 +1,134 @@
----
-title: About the aws_s3_bucket Resource
-platform: aws
----
-
-# aws\_s3\_bucket
-
-Use the `aws_s3_bucket` InSpec audit resource to test properties of a single AWS bucket.
-
-To test properties of a multiple S3 buckets, use the `aws_s3_buckets` resource.
-
-<br>
-
-## Limitations
-
-S3 bucket security is a complex matter. For details on how AWS evaluates requests for access, please see [the AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html). S3 buckets and the objects they contain support three different types of access control: bucket ACLs, bucket policies, and object ACLs.
-
-As of January 2018, this resource supports evaluating bucket ACLs and bucket policies. We do not support evaluating object ACLs because it introduces scalability concerns in the AWS API; we recommend using AWS mechanisms such as CloudTrail and Config to detect insecure object ACLs.
-
-In particular, users of the `be_public` matcher should carefully examine the conditions under which the matcher will detect an insecure bucket. See the `be_public` section under the Matchers section below.
-
-<br>
-
-## Syntax
-
-An `aws_s3_bucket` resource block declares a bucket by name, and then lists tests to be performed.
-
-    describe aws_s3_bucket(bucket_name: 'test_bucket') do
-      it { should exist }
-      it { should_not be_public }
-    end
-
-    describe aws_s3_bucket('test_bucket') do
-      it { should exist }
-    end
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-### Test the bucket-level ACL
-
-    describe aws_s3_bucket('test_bucket') do
-      its('bucket_acl.count') { should eq 1 }
-    end
-
-### Check if a bucket has a bucket policy
-
-    describe aws_s3_bucket('test_bucket') do
-      its('bucket_policy') { should be_empty }
-    end
-
-### Check if a bucket appears to be exposed to the public
-
-    # See Limitations section above
-    describe aws_s3_bucket('test_bucket') do
-      it { should_not be_public }
-    end
-<br>
-
-## Properties
-
-### region
-
-The `region` property identifies the AWS Region in which the S3 bucket is located.
-
-    describe aws_s3_bucket('test_bucket') do
-      # Check if the correct region is set
-      its('region') { should eq 'us-east-1' }
-    end
-
-## Unsupported Properties
-
-### bucket\_acl
-
-The `bucket_acl` property is a low-level property that lists the individual Bucket ACL grants  in effect on the bucket.  Other higher-level properties, such as be\_public, are more concise and easier to use. You can use the `bucket_acl` property to investigate which grants are in effect, causing be\_public to fail.
-
-The value of bucket_acl is  an array of simple objects.  Each object has a `permission` property and a `grantee` property.  The `permission` property will be a string such as 'READ', 'WRITE' etc (See the [AWS documentation](https://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Client.html#get_bucket_acl-instance_method) for a full list).  The `grantee` property contains sub-properties, such as `type` and `uri`.
-
-    
-    bucket_acl = aws_s3_bucket('my-bucket')
-
-    # Look for grants to "AllUsers" (that is, the public)
-    all_users_grants = bucket_acl.select do |g|
-      g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
-    end
-
-    # Look for grants to "AuthenticatedUsers" (that is, any authenticated AWS user - nearly public)
-    auth_grants = bucket_acl.select do |g|
-      g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
-    end
-
-### bucket\_policy
-
-The `bucket_policy` is a low-level property that describes the IAM policy document controlling access to the bucket. The `bucket_policy` property returns a Ruby structure that you can probe to check for particular statements.  We recommend using a higher-level property, such as `be_public`, which is concise and easier to implement in your policy files.
-
-The `bucket_policy` property returns an array of simple objects, each object being an IAM Policy Statement. See the [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-2) for details about the structure of this data.
-
-If there is no bucket policy, this property returns an empty array.
-
-    bucket_policy = aws_s3_bucket('my-bucket')
-
-    # Look for statements that allow the general public to do things
-    # This may be a false positive; it is possible these statements
-    # could be protected by conditions, such as IP restrictions.
-    public_statements = bucket_policy.select do |s|
-      s.effect == 'Allow' && s.principal == '*'
-    end
-
-<br>
-
-## Matchers
-
-This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### be\_public
-
-The `be_public` matcher tests if the bucket has potentially insecure access controls. This high-level matcher detects several insecure conditions, which may be enhanced in the future. Currently, the matcher reports an insecure bucket if any of the following conditions are met:
-
-  1. A bucket ACL grant exists for the 'AllUsers' group
-  2. A bucket ACL grant exists for the 'AuthenticatedUsers' group
-  3. A bucket policy has an effect 'Allow' and principal '*'
-
-Note: This resource does not detect insecure object ACLs.
-
-    it { should_not be_public }
-
-### have\_access\_logging\_enabled
-
-The `have_access_logging_enabled` matcher tests if access logging is enabled for the s3 bucket.
-
-    it { should have_access_logging_enabled }
+---
+title: About the aws_s3_bucket Resource
+platform: aws
+---
+
+# aws\_s3\_bucket
+
+Use the `aws_s3_bucket` InSpec audit resource to test properties of a single AWS bucket.
+
+To test properties of a multiple S3 buckets, use the `aws_s3_buckets` resource.
+
+<br>
+
+## Limitations
+
+S3 bucket security is a complex matter. For details on how AWS evaluates requests for access, please see [the AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html). S3 buckets and the objects they contain support three different types of access control: bucket ACLs, bucket policies, and object ACLs.
+
+As of January 2018, this resource supports evaluating bucket ACLs and bucket policies. We do not support evaluating object ACLs because it introduces scalability concerns in the AWS API; we recommend using AWS mechanisms such as CloudTrail and Config to detect insecure object ACLs.
+
+In particular, users of the `be_public` matcher should carefully examine the conditions under which the matcher will detect an insecure bucket. See the `be_public` section under the Matchers section below.
+
+<br>
+
+## Syntax
+
+An `aws_s3_bucket` resource block declares a bucket by name, and then lists tests to be performed.
+
+    describe aws_s3_bucket(bucket_name: 'test_bucket') do
+      it { should exist }
+      it { should_not be_public }
+    end
+
+    describe aws_s3_bucket('test_bucket') do
+      it { should exist }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test the bucket-level ACL
+
+    describe aws_s3_bucket('test_bucket') do
+      its('bucket_acl.count') { should eq 1 }
+    end
+
+### Check if a bucket has a bucket policy
+
+    describe aws_s3_bucket('test_bucket') do
+      its('bucket_policy') { should be_empty }
+    end
+
+### Check if a bucket appears to be exposed to the public
+
+    # See Limitations section above
+    describe aws_s3_bucket('test_bucket') do
+      it { should_not be_public }
+    end
+<br>
+
+## Properties
+
+### region
+
+The `region` property identifies the AWS Region in which the S3 bucket is located.
+
+    describe aws_s3_bucket('test_bucket') do
+      # Check if the correct region is set
+      its('region') { should eq 'us-east-1' }
+    end
+
+## Unsupported Properties
+
+### bucket\_acl
+
+The `bucket_acl` property is a low-level property that lists the individual Bucket ACL grants  in effect on the bucket.  Other higher-level properties, such as be\_public, are more concise and easier to use. You can use the `bucket_acl` property to investigate which grants are in effect, causing be\_public to fail.
+
+The value of bucket_acl is  an array of simple objects.  Each object has a `permission` property and a `grantee` property.  The `permission` property will be a string such as 'READ', 'WRITE' etc (See the [AWS documentation](https://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Client.html#get_bucket_acl-instance_method) for a full list).  The `grantee` property contains sub-properties, such as `type` and `uri`.
+
+    
+    bucket_acl = aws_s3_bucket('my-bucket')
+
+    # Look for grants to "AllUsers" (that is, the public)
+    all_users_grants = bucket_acl.select do |g|
+      g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
+    end
+
+    # Look for grants to "AuthenticatedUsers" (that is, any authenticated AWS user - nearly public)
+    auth_grants = bucket_acl.select do |g|
+      g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
+    end
+
+### bucket\_policy
+
+The `bucket_policy` is a low-level property that describes the IAM policy document controlling access to the bucket. The `bucket_policy` property returns a Ruby structure that you can probe to check for particular statements.  We recommend using a higher-level property, such as `be_public`, which is concise and easier to implement in your policy files.
+
+The `bucket_policy` property returns an array of simple objects, each object being an IAM Policy Statement. See the [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-2) for details about the structure of this data.
+
+If there is no bucket policy, this property returns an empty array.
+
+    bucket_policy = aws_s3_bucket('my-bucket')
+
+    # Look for statements that allow the general public to do things
+    # This may be a false positive; it is possible these statements
+    # could be protected by conditions, such as IP restrictions.
+    public_statements = bucket_policy.select do |s|
+      s.effect == 'Allow' && s.principal == '*'
+    end
+
+<br>
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### be\_public
+
+The `be_public` matcher tests if the bucket has potentially insecure access controls. This high-level matcher detects several insecure conditions, which may be enhanced in the future. Currently, the matcher reports an insecure bucket if any of the following conditions are met:
+
+  1. A bucket ACL grant exists for the 'AllUsers' group
+  2. A bucket ACL grant exists for the 'AuthenticatedUsers' group
+  3. A bucket policy has an effect 'Allow' and principal '*'
+
+Note: This resource does not detect insecure object ACLs.
+
+    it { should_not be_public }
+
+### have\_access\_logging\_enabled
+
+The `have_access_logging_enabled` matcher tests if access logging is enabled for the s3 bucket.
+
+    it { should have_access_logging_enabled }