inspec 2.3.10 → 2.3.23

data/docs/resources/aws_iam_access_keys.md.erb

@@ -1,214 +0,0 @@
----
-title: About the aws_iam_access_keys Resource
-platform: aws
----
-
-# aws\_iam\_access\_keys
-
-Use the `aws_iam_access_keys` InSpec audit resource to test properties of some or all IAM Access Keys.
-
-To test properties of a single Access Key, use the `aws_iam_access_key` resource instead.
-To test properties of an individual user's access keys, use the `aws_iam_user` resource.
-
-Access Keys are closely related to AWS User resources. Use this resource to perform audits of all keys or of keys specified by criteria unrelated to any particular user.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v2.0.16 of InSpec.
-
-## Syntax
-
-An `aws_iam_access_keys` resource block uses an optional filter to select a group of access keys and then tests that group.
-
-    # Do not allow any access keys
-    describe aws_iam_access_keys do
-      it { should_not exist }
-    end
-
-    # Don't let fred have access keys, using filter argument syntax
-    describe aws_iam_access_keys.where(username: 'fred') do
-      it { should_not exist }
-    end
-
-    # Don't let fred have access keys, using filter block syntax (most flexible)
-    describe aws_iam_access_keys.where { username == 'fred' } do
-      it { should_not exist }
-    end
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-### Disallow access keys created more than 90 days ago
-
-    describe aws_iam_access_keys.where { created_days_ago > 90 } do
-      it { should_not exist }
-    end
-
-<br>
-
-## Filter Criteria
-* `active`, `create_date`, `created_days_ago`, `created_hours_ago`, `created_with_user`, `ever_used`, `inactive`, `last_used_date`, `last_used_hours_ago`, `last_used_days_ago`, `never_used`, `user_created_date`
-
-<br>
-
-## Filter Examples
-
-### active
-
-A true / false value indicating if an Access Key is currently "Active" (the normal state) in the AWS console. See also: `inactive`.
-
-    # Check if a particular key is enabled
-    describe aws_iam_access_keys.where { active } do
-      its('access_key_ids') { should include('AKIA1234567890ABCDEF')}
-    end
-
-### create\_date
-
-A DateTime identifying when the Access Key was created. See also `created_days_ago` and `created_hours_ago`.
-
-    # Detect keys older than 2017
-    describe aws_iam_access_keys.where { create_date < DateTime.parse('2017-01-01') } do
-      it { should_not exist }
-    end
-
-### created\_days\_ago, created\_hours\_ago
-
-An integer, representing how old the access key is.
-
-    # Don't allow keys that are older than 90 days
-    describe aws_iam_access_keys.where { created_days_ago > 90 } do
-      it { should_not exist }
-    end
-
-### created\_with\_user
-
-A true / false value indicating if the Access Key was likely created at the same time as the user, by checking if the difference between created_date and user_created_date is less than 1 hour.
-
-    # Do not automatically create keys for users
-    describe aws_iam_access_keys.where { created_with_user } do
-      it { should_not exist }
-    end
-
-### ever\_used
-
-A true / false value indicating if the Access Key has ever been used, based on the last_used_date. See also: `never_used`.
-
-    # Check to see if a particular key has ever been used
-    describe aws_iam_access_keys.where { ever_used } do
-      its('access_key_ids') { should include('AKIA1234567890ABCDEF')}
-    end
-
-### inactive
-
-A true / false value indicating if the Access Key has been marked Inactive in the AWS console. See also: `active`.
-
-    # Don't leave inactive keys laying around
-    describe aws_iam_access_keys.where { inactive } do
-      it { should_not exist }
-    end
-
-### last\_used\_date
-
-A DateTime identifying when the Access Key was last used. Returns nil if the key has never been used. See also: `ever_used`, `last_used_days_ago`, `last_used_hours_ago`, and `never_used`.
-
-    # No one should do anything on Mondays
-    describe aws_iam_access_keys.where { ever_used and last_used_date.monday? } do
-      it { should_not exist }
-    end
-
-### last\_used\_days\_ago, last\_used\_hours\_ago
-
-An integer representing when the key was last used. See also: `ever_used`, `last_used_date`, and `never_used`.
-
-    # Don't allow keys that sit unused for more than 90 days
-    describe aws_iam_access_keys.where { last_used_days_ago > 90 } do
-      it { should_not exist }
-    end
-
-### never\_used
-
-A true / false value indicating if the Access Key has never been used, based on the `last_used_date`. See also: `ever_used`.
-
-    # Don't allow unused keys to lay around
-    describe aws_iam_access_keys.where { never_used } do
-      it { should_not exist }
-    end
-
-### username
-
-Searches for access keys owned by the named user. Each user may have zero, one, or two access keys.
-
-    describe aws_iam_access_keys(username: 'bob') do
-      it { should exist }
-    end
-
-### user\_created\_date
-
-The date at which the user was created.
-
-    # Users have to be a week old to have a key
-    describe aws_iam_access_keys.where { user_created_date > Date.now - 7 }
-      it { should_not exist }
-    end
-
-<br>
-
-## Properties
-
-* `access_key_ids`, `entries`
-
-## Property Examples
-
-### access\_key\_ids
-
-Provides a list of all access key IDs matched.
-
-    describe aws_iam_access_keys do
-      its('access_key_ids') { should include('AKIA1234567890ABCDEF') }
-    end
-
-### entries
-
-Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
-
-    # Allow at most 100 access keys on the account
-    describe aws_iam_access_keys do
-      its('entries.count') { should be <= 100}
-    end
-
-<br>
-
-## Matchers
-
-This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### exists
-
-The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
-
-    # Sally should have at least one access key
-    describe aws_iam_access_keys.where(username: 'sally') do
-      it { should exist }
-    end
-
-    # Don't let fred have access keys
-    describe aws_iam_access_keys.where(username: 'fred') do
-      it { should_not exist }
-    end
-
-## AWS Permissions
-
-Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:ListAccessKeys`, and `iam:ListUsers` action with Effect set to Allow.
-
-You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

data/docs/resources/aws_iam_group.md.erb

@@ -1,74 +0,0 @@
----
-title: About the aws_iam_group Resource
-platform: aws
----
-
-# aws\_iam\_group
-
-Use the `aws_iam_group` InSpec audit resource to test properties of a single IAM group.
-
-To test properties of multiple or all groups, use the `aws_iam_groups` resource.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v2.0.16 of InSpec.
-
-## Syntax
-
-An `aws_iam_group` resource block identifies a group by group name.
-
-    # Find a group by group name
-    describe aws_iam_group('mygroup') do
-      it { should exist }
-    end
-
-    # Hash syntax for group name
-    describe aws_iam_group(group_name: 'mygroup') do
-      it { should exist }
-    end
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-As this is the initial release of `aws_iam_group`, its limited functionality precludes examples.
-
-<br>
-
-## Properties
-
-### users
-
-Provides a list of the users that are attached to the group
-
-    describe aws_iam_group('mygroup')
-      its('users') { should include 'iam_user_name' }
-    end
-
-<br>
-
-## Matchers
-
-### exists
-
-The control will pass if a group with the given group name exists.
-
-    describe aws_iam_group('mygroup')
-      it { should exist }
-    end
-
-## AWS Permissions
-
-Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetGroup` action with Effect set to Allow.
-
-You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

data/docs/resources/aws_iam_groups.md.erb

@@ -1,92 +0,0 @@
----
-title: About the aws_iam_groups Resource
-platform: aws
----
-
-# aws\_iam\_groups
-
-Use the `aws_iam_groups` InSpec audit resource to test properties of all or multiple groups.
-
-To test properties of a single group, use the `aws_iam_group` resource.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v2.0.16 of InSpec.
-
-## Syntax
-
-An `aws_iam_groups` resource block uses an optional filter to select a collection of IAM groups and then tests that collection.
-
-    # The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
-    describe aws_iam_groups do
-      it { should exist }
-    end
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-As this is the initial release of `aws_iam_groups`, its limited functionality precludes examples.
-
-<br>
-
-## Filter Criteria
-
-### group_name
-
-Filters the IAM groups by their group name, a string.  If you know the exact group name, use `aws_iam_group` (singular) instead.  This criteria may be used when you know a pattern of the name.
-
-    # Use a regex to find groups ending with 'Admins'
-    describe aws_iam_groups.where(group_name: /Admins$/) do
-      its('group_names') { should include 'FriendlyAdmins' }
-      its('group_names') { shoud_not include 'ShunnedAdmins' }
-    end
-
-## Properties
-
-### group_names
-
-An Array of Strings, reflecting the IAM group names matched by the filter.  If no groups matched, this will be empty.  You can also use this with `aws_iam_group` to enumerate groups.
-
-    # Check for friendly people
-    describe aws_iam_groups.where(group_name: /Admins$/) do
-      its('group_names') { should include 'FriendlyAdmins' }
-      its('group_names') { should include 'KindAdmins' }
-    end
-
-    # Use to loop and fetch groups individually for auditing in detail
-    # Without a `where`, this fetches all groups
-    aws_iam_groups.group_names.each do |group_names|
-      # A roundabout way of saying "bob should not be in any groups"
-      describe aws_iam_group(group_name) do
-        its('users') { should_not include 'bob' }
-      end
-    end
-
-## Matchers
-
-This resource has no resource-specific matchers.  For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### exists
-
-The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
-
-    describe aws_iam_groups
-      it { should exist }
-    end
-
-## AWS Permissions
-
-Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:ListGroups` action with Effect set to Allow.
-
-You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

data/docs/resources/aws_iam_password_policy.md.erb

@@ -1,92 +0,0 @@
----
-title: About the aws_iam_password_policy Resource
-platform: aws
----
-
-# aws\_iam\_password\_policy
-
-Use the `aws_iam_password_policy` InSpec audit resource to test properties of the AWS IAM Password Policy.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v2.0.16 of InSpec.
-
-## Syntax
-
-An `aws_iam_password_policy` resource block takes no parameters. Several properties and matchers are available.
-
-    describe aws_iam_password_policy do
-      it { should require_lowercase_characters }
-    end
-
-<br>
-
-## Properties
-
-* `max_password_age_in_days`, `minimum_password_length`, `number_of_passwords_to_remember`
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-### Test that the IAM Password Policy requires lowercase characters, uppercase characters, numbers, symbols, and a minimum length greater than eight
-
-    describe aws_iam_password_policy do
-      it { should require_lowercase_characters }
-      it { should require_uppercase_characters }
-      it { should require_symbols }
-      it { should require_numbers }
-      its('minimum_password_length') { should be > 8 }
-    end
-
-### Test that the IAM Password Policy allows users to change their password
-
-    describe aws_iam_password_policy do
-      it { should allow_users_to_change_passwords }
-    end
-
-### Test that the IAM Password Policy expires passwords
-
-    describe aws_iam_password_policy do
-      it { should expire_passwords }
-    end
-
-### Test that the IAM Password Policy has a max password age
-
-    describe aws_iam_password_policy do
-      its('max_password_age_in_days') { should be 90 }
-    end
-
-### Test that the IAM Password Policy prevents password reuse
-
-    describe aws_iam_password_policy do
-      it { should prevent_password_reuse }
-    end
-
-### Test that the IAM Password Policy requires users to remember 3 previous passwords
-
-    describe aws_iam_password_policy do
-      its('number_of_passwords_to_remember') { should eq 3 }
-    end
-
-<br>
-
-## Matchers
-
-This resource uses the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-* `allows_users_to_change_passwords`, `expire_passwords`, `prevent_password_reuse`, `require_lowercase_characters` , `require_uppercase_characters`, `require_numbers`, `require_symbols`
-
-## AWS Permissions
-
-Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetAccountPasswordPolicy` action with Effect set to Allow.
-
-You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).