inspec 2.3.10 → 2.3.23

Sign up to get free protection for your applications and to get access to all the features.
Files changed (271) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +34 -13
  3. data/etc/plugin_filters.json +25 -0
  4. data/inspec.gemspec +3 -3
  5. data/lib/bundles/inspec-compliance/api.rb +3 -0
  6. data/lib/bundles/inspec-compliance/configuration.rb +3 -0
  7. data/lib/bundles/inspec-compliance/http.rb +3 -0
  8. data/lib/bundles/inspec-compliance/support.rb +3 -0
  9. data/lib/bundles/inspec-compliance/target.rb +3 -0
  10. data/lib/inspec/objects/attribute.rb +3 -0
  11. data/lib/inspec/plugin/v2.rb +3 -0
  12. data/lib/inspec/plugin/v2/filter.rb +62 -0
  13. data/lib/inspec/plugin/v2/installer.rb +21 -1
  14. data/lib/inspec/plugin/v2/loader.rb +4 -0
  15. data/lib/inspec/profile.rb +3 -1
  16. data/lib/inspec/version.rb +1 -1
  17. data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +25 -3
  18. data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +65 -11
  19. data/lib/plugins/inspec-plugin-manager-cli/test/unit/cli_args_test.rb +5 -1
  20. data/lib/resources/package.rb +1 -1
  21. metadata +5 -253
  22. data/MAINTAINERS.toml +0 -52
  23. data/docs/.gitignore +0 -2
  24. data/docs/README.md +0 -41
  25. data/docs/dev/control-eval.md +0 -62
  26. data/docs/dev/filtertable-internals.md +0 -353
  27. data/docs/dev/filtertable-usage.md +0 -533
  28. data/docs/dev/integration-testing.md +0 -31
  29. data/docs/dev/plugins.md +0 -323
  30. data/docs/dsl_inspec.md +0 -354
  31. data/docs/dsl_resource.md +0 -100
  32. data/docs/glossary.md +0 -381
  33. data/docs/habitat.md +0 -193
  34. data/docs/inspec_and_friends.md +0 -114
  35. data/docs/matchers.md +0 -161
  36. data/docs/migration.md +0 -293
  37. data/docs/platforms.md +0 -119
  38. data/docs/plugin_kitchen_inspec.md +0 -60
  39. data/docs/plugins.md +0 -57
  40. data/docs/profiles.md +0 -576
  41. data/docs/reporters.md +0 -170
  42. data/docs/resources/aide_conf.md.erb +0 -86
  43. data/docs/resources/apache.md.erb +0 -77
  44. data/docs/resources/apache_conf.md.erb +0 -78
  45. data/docs/resources/apt.md.erb +0 -81
  46. data/docs/resources/audit_policy.md.erb +0 -57
  47. data/docs/resources/auditd.md.erb +0 -89
  48. data/docs/resources/auditd_conf.md.erb +0 -78
  49. data/docs/resources/aws_cloudtrail_trail.md.erb +0 -165
  50. data/docs/resources/aws_cloudtrail_trails.md.erb +0 -96
  51. data/docs/resources/aws_cloudwatch_alarm.md.erb +0 -101
  52. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +0 -164
  53. data/docs/resources/aws_config_delivery_channel.md.erb +0 -111
  54. data/docs/resources/aws_config_recorder.md.erb +0 -96
  55. data/docs/resources/aws_ebs_volume.md.erb +0 -76
  56. data/docs/resources/aws_ebs_volumes.md.erb +0 -86
  57. data/docs/resources/aws_ec2_instance.md.erb +0 -122
  58. data/docs/resources/aws_ec2_instances.md.erb +0 -89
  59. data/docs/resources/aws_elb.md.erb +0 -154
  60. data/docs/resources/aws_elbs.md.erb +0 -252
  61. data/docs/resources/aws_flow_log.md.erb +0 -128
  62. data/docs/resources/aws_iam_access_key.md.erb +0 -139
  63. data/docs/resources/aws_iam_access_keys.md.erb +0 -214
  64. data/docs/resources/aws_iam_group.md.erb +0 -74
  65. data/docs/resources/aws_iam_groups.md.erb +0 -92
  66. data/docs/resources/aws_iam_password_policy.md.erb +0 -92
  67. data/docs/resources/aws_iam_policies.md.erb +0 -97
  68. data/docs/resources/aws_iam_policy.md.erb +0 -264
  69. data/docs/resources/aws_iam_role.md.erb +0 -79
  70. data/docs/resources/aws_iam_root_user.md.erb +0 -86
  71. data/docs/resources/aws_iam_user.md.erb +0 -130
  72. data/docs/resources/aws_iam_users.md.erb +0 -289
  73. data/docs/resources/aws_kms_key.md.erb +0 -187
  74. data/docs/resources/aws_kms_keys.md.erb +0 -99
  75. data/docs/resources/aws_rds_instance.md.erb +0 -76
  76. data/docs/resources/aws_route_table.md.erb +0 -63
  77. data/docs/resources/aws_route_tables.md.erb +0 -65
  78. data/docs/resources/aws_s3_bucket.md.erb +0 -156
  79. data/docs/resources/aws_s3_bucket_object.md.erb +0 -99
  80. data/docs/resources/aws_s3_buckets.md.erb +0 -69
  81. data/docs/resources/aws_security_group.md.erb +0 -323
  82. data/docs/resources/aws_security_groups.md.erb +0 -107
  83. data/docs/resources/aws_sns_subscription.md.erb +0 -140
  84. data/docs/resources/aws_sns_topic.md.erb +0 -79
  85. data/docs/resources/aws_sns_topics.md.erb +0 -68
  86. data/docs/resources/aws_subnet.md.erb +0 -150
  87. data/docs/resources/aws_subnets.md.erb +0 -142
  88. data/docs/resources/aws_vpc.md.erb +0 -135
  89. data/docs/resources/aws_vpcs.md.erb +0 -135
  90. data/docs/resources/azure_generic_resource.md.erb +0 -183
  91. data/docs/resources/azure_resource_group.md.erb +0 -294
  92. data/docs/resources/azure_virtual_machine.md.erb +0 -357
  93. data/docs/resources/azure_virtual_machine_data_disk.md.erb +0 -234
  94. data/docs/resources/bash.md.erb +0 -85
  95. data/docs/resources/bond.md.erb +0 -100
  96. data/docs/resources/bridge.md.erb +0 -67
  97. data/docs/resources/bsd_service.md.erb +0 -77
  98. data/docs/resources/chocolatey_package.md.erb +0 -68
  99. data/docs/resources/command.md.erb +0 -176
  100. data/docs/resources/cpan.md.erb +0 -89
  101. data/docs/resources/cran.md.erb +0 -74
  102. data/docs/resources/crontab.md.erb +0 -103
  103. data/docs/resources/csv.md.erb +0 -64
  104. data/docs/resources/dh_params.md.erb +0 -221
  105. data/docs/resources/directory.md.erb +0 -40
  106. data/docs/resources/docker.md.erb +0 -240
  107. data/docs/resources/docker_container.md.erb +0 -113
  108. data/docs/resources/docker_image.md.erb +0 -104
  109. data/docs/resources/docker_plugin.md.erb +0 -80
  110. data/docs/resources/docker_service.md.erb +0 -124
  111. data/docs/resources/elasticsearch.md.erb +0 -252
  112. data/docs/resources/etc_fstab.md.erb +0 -135
  113. data/docs/resources/etc_group.md.erb +0 -85
  114. data/docs/resources/etc_hosts.md.erb +0 -88
  115. data/docs/resources/etc_hosts_allow.md.erb +0 -84
  116. data/docs/resources/etc_hosts_deny.md.erb +0 -84
  117. data/docs/resources/file.md.erb +0 -543
  118. data/docs/resources/filesystem.md.erb +0 -51
  119. data/docs/resources/firewalld.md.erb +0 -117
  120. data/docs/resources/gem.md.erb +0 -108
  121. data/docs/resources/group.md.erb +0 -71
  122. data/docs/resources/grub_conf.md.erb +0 -111
  123. data/docs/resources/host.md.erb +0 -96
  124. data/docs/resources/http.md.erb +0 -207
  125. data/docs/resources/iis_app.md.erb +0 -132
  126. data/docs/resources/iis_site.md.erb +0 -145
  127. data/docs/resources/inetd_conf.md.erb +0 -104
  128. data/docs/resources/ini.md.erb +0 -86
  129. data/docs/resources/interface.md.erb +0 -68
  130. data/docs/resources/iptables.md.erb +0 -74
  131. data/docs/resources/json.md.erb +0 -73
  132. data/docs/resources/kernel_module.md.erb +0 -130
  133. data/docs/resources/kernel_parameter.md.erb +0 -63
  134. data/docs/resources/key_rsa.md.erb +0 -95
  135. data/docs/resources/launchd_service.md.erb +0 -67
  136. data/docs/resources/limits_conf.md.erb +0 -85
  137. data/docs/resources/login_defs.md.erb +0 -81
  138. data/docs/resources/mount.md.erb +0 -79
  139. data/docs/resources/mssql_session.md.erb +0 -78
  140. data/docs/resources/mysql_conf.md.erb +0 -109
  141. data/docs/resources/mysql_session.md.erb +0 -84
  142. data/docs/resources/nginx.md.erb +0 -89
  143. data/docs/resources/nginx_conf.md.erb +0 -148
  144. data/docs/resources/npm.md.erb +0 -78
  145. data/docs/resources/ntp_conf.md.erb +0 -70
  146. data/docs/resources/oneget.md.erb +0 -63
  147. data/docs/resources/oracledb_session.md.erb +0 -103
  148. data/docs/resources/os.md.erb +0 -153
  149. data/docs/resources/os_env.md.erb +0 -101
  150. data/docs/resources/package.md.erb +0 -130
  151. data/docs/resources/packages.md.erb +0 -77
  152. data/docs/resources/parse_config.md.erb +0 -113
  153. data/docs/resources/parse_config_file.md.erb +0 -148
  154. data/docs/resources/passwd.md.erb +0 -151
  155. data/docs/resources/pip.md.erb +0 -77
  156. data/docs/resources/port.md.erb +0 -147
  157. data/docs/resources/postgres_conf.md.erb +0 -89
  158. data/docs/resources/postgres_hba_conf.md.erb +0 -103
  159. data/docs/resources/postgres_ident_conf.md.erb +0 -86
  160. data/docs/resources/postgres_session.md.erb +0 -79
  161. data/docs/resources/powershell.md.erb +0 -112
  162. data/docs/resources/processes.md.erb +0 -119
  163. data/docs/resources/rabbitmq_config.md.erb +0 -51
  164. data/docs/resources/registry_key.md.erb +0 -197
  165. data/docs/resources/runit_service.md.erb +0 -67
  166. data/docs/resources/security_policy.md.erb +0 -57
  167. data/docs/resources/service.md.erb +0 -131
  168. data/docs/resources/shadow.md.erb +0 -267
  169. data/docs/resources/ssh_config.md.erb +0 -83
  170. data/docs/resources/sshd_config.md.erb +0 -93
  171. data/docs/resources/ssl.md.erb +0 -129
  172. data/docs/resources/sys_info.md.erb +0 -52
  173. data/docs/resources/systemd_service.md.erb +0 -67
  174. data/docs/resources/sysv_service.md.erb +0 -67
  175. data/docs/resources/upstart_service.md.erb +0 -67
  176. data/docs/resources/user.md.erb +0 -150
  177. data/docs/resources/users.md.erb +0 -137
  178. data/docs/resources/vbscript.md.erb +0 -65
  179. data/docs/resources/virtualization.md.erb +0 -67
  180. data/docs/resources/windows_feature.md.erb +0 -69
  181. data/docs/resources/windows_hotfix.md.erb +0 -63
  182. data/docs/resources/windows_task.md.erb +0 -95
  183. data/docs/resources/wmi.md.erb +0 -91
  184. data/docs/resources/x509_certificate.md.erb +0 -161
  185. data/docs/resources/xinetd_conf.md.erb +0 -166
  186. data/docs/resources/xml.md.erb +0 -95
  187. data/docs/resources/yaml.md.erb +0 -79
  188. data/docs/resources/yum.md.erb +0 -108
  189. data/docs/resources/zfs_dataset.md.erb +0 -63
  190. data/docs/resources/zfs_pool.md.erb +0 -57
  191. data/docs/shared/matcher_be.md.erb +0 -1
  192. data/docs/shared/matcher_cmp.md.erb +0 -43
  193. data/docs/shared/matcher_eq.md.erb +0 -3
  194. data/docs/shared/matcher_include.md.erb +0 -1
  195. data/docs/shared/matcher_match.md.erb +0 -1
  196. data/docs/shell.md +0 -217
  197. data/docs/style.md +0 -178
  198. data/examples/README.md +0 -8
  199. data/examples/custom-resource/README.md +0 -3
  200. data/examples/custom-resource/controls/example.rb +0 -7
  201. data/examples/custom-resource/inspec.yml +0 -8
  202. data/examples/custom-resource/libraries/batsignal.rb +0 -20
  203. data/examples/custom-resource/libraries/gordon.rb +0 -21
  204. data/examples/inheritance/README.md +0 -65
  205. data/examples/inheritance/controls/example.rb +0 -14
  206. data/examples/inheritance/inspec.yml +0 -16
  207. data/examples/kitchen-ansible/.kitchen.yml +0 -25
  208. data/examples/kitchen-ansible/Gemfile +0 -19
  209. data/examples/kitchen-ansible/README.md +0 -53
  210. data/examples/kitchen-ansible/files/nginx.repo +0 -6
  211. data/examples/kitchen-ansible/tasks/main.yml +0 -16
  212. data/examples/kitchen-ansible/test/integration/default/default.yml +0 -5
  213. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -28
  214. data/examples/kitchen-chef/.kitchen.yml +0 -20
  215. data/examples/kitchen-chef/Berksfile +0 -3
  216. data/examples/kitchen-chef/Gemfile +0 -19
  217. data/examples/kitchen-chef/README.md +0 -27
  218. data/examples/kitchen-chef/metadata.rb +0 -7
  219. data/examples/kitchen-chef/recipes/default.rb +0 -6
  220. data/examples/kitchen-chef/recipes/nginx.rb +0 -30
  221. data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -28
  222. data/examples/kitchen-puppet/.kitchen.yml +0 -23
  223. data/examples/kitchen-puppet/Gemfile +0 -20
  224. data/examples/kitchen-puppet/Puppetfile +0 -25
  225. data/examples/kitchen-puppet/README.md +0 -53
  226. data/examples/kitchen-puppet/manifests/site.pp +0 -33
  227. data/examples/kitchen-puppet/metadata.json +0 -11
  228. data/examples/kitchen-puppet/modules/.gitkeep +0 -0
  229. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -28
  230. data/examples/meta-profile/README.md +0 -37
  231. data/examples/meta-profile/controls/example.rb +0 -13
  232. data/examples/meta-profile/inspec.yml +0 -13
  233. data/examples/plugins/inspec-resource-lister/Gemfile +0 -12
  234. data/examples/plugins/inspec-resource-lister/LICENSE +0 -13
  235. data/examples/plugins/inspec-resource-lister/README.md +0 -62
  236. data/examples/plugins/inspec-resource-lister/Rakefile +0 -40
  237. data/examples/plugins/inspec-resource-lister/inspec-resource-lister.gemspec +0 -45
  238. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister.rb +0 -16
  239. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/cli_command.rb +0 -70
  240. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/plugin.rb +0 -55
  241. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/version.rb +0 -10
  242. data/examples/plugins/inspec-resource-lister/test/fixtures/README.md +0 -24
  243. data/examples/plugins/inspec-resource-lister/test/functional/README.md +0 -18
  244. data/examples/plugins/inspec-resource-lister/test/functional/inspec_resource_lister_test.rb +0 -110
  245. data/examples/plugins/inspec-resource-lister/test/helper.rb +0 -26
  246. data/examples/plugins/inspec-resource-lister/test/unit/README.md +0 -17
  247. data/examples/plugins/inspec-resource-lister/test/unit/cli_args_test.rb +0 -64
  248. data/examples/plugins/inspec-resource-lister/test/unit/plugin_def_test.rb +0 -51
  249. data/examples/profile-attribute.yml +0 -2
  250. data/examples/profile-attribute/README.md +0 -14
  251. data/examples/profile-attribute/controls/example.rb +0 -11
  252. data/examples/profile-attribute/inspec.yml +0 -8
  253. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +0 -8
  254. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +0 -8
  255. data/examples/profile-aws/controls/iam_root_user_mfa.rb +0 -8
  256. data/examples/profile-aws/controls/iam_users_access_key_age.rb +0 -8
  257. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +0 -8
  258. data/examples/profile-aws/inspec.yml +0 -11
  259. data/examples/profile-azure/controls/azure_resource_group_example.rb +0 -24
  260. data/examples/profile-azure/controls/azure_vm_example.rb +0 -29
  261. data/examples/profile-azure/inspec.yml +0 -11
  262. data/examples/profile-sensitive/README.md +0 -29
  263. data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -9
  264. data/examples/profile-sensitive/controls/sensitive.rb +0 -9
  265. data/examples/profile-sensitive/inspec.yml +0 -8
  266. data/examples/profile/README.md +0 -48
  267. data/examples/profile/controls/example.rb +0 -24
  268. data/examples/profile/controls/gordon.rb +0 -36
  269. data/examples/profile/controls/meta.rb +0 -36
  270. data/examples/profile/inspec.yml +0 -11
  271. data/examples/profile/libraries/gordon_config.rb +0 -59
@@ -1,214 +0,0 @@
1
- ---
2
- title: About the aws_iam_access_keys Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_iam\_access\_keys
7
-
8
- Use the `aws_iam_access_keys` InSpec audit resource to test properties of some or all IAM Access Keys.
9
-
10
- To test properties of a single Access Key, use the `aws_iam_access_key` resource instead.
11
- To test properties of an individual user's access keys, use the `aws_iam_user` resource.
12
-
13
- Access Keys are closely related to AWS User resources. Use this resource to perform audits of all keys or of keys specified by criteria unrelated to any particular user.
14
-
15
- <br>
16
-
17
- ## Availability
18
-
19
- ### Installation
20
-
21
- This resource is distributed along with InSpec itself. You can use it automatically.
22
-
23
- ### Version
24
-
25
- This resource first became available in v2.0.16 of InSpec.
26
-
27
- ## Syntax
28
-
29
- An `aws_iam_access_keys` resource block uses an optional filter to select a group of access keys and then tests that group.
30
-
31
- # Do not allow any access keys
32
- describe aws_iam_access_keys do
33
- it { should_not exist }
34
- end
35
-
36
- # Don't let fred have access keys, using filter argument syntax
37
- describe aws_iam_access_keys.where(username: 'fred') do
38
- it { should_not exist }
39
- end
40
-
41
- # Don't let fred have access keys, using filter block syntax (most flexible)
42
- describe aws_iam_access_keys.where { username == 'fred' } do
43
- it { should_not exist }
44
- end
45
-
46
- <br>
47
-
48
- ## Examples
49
-
50
- The following examples show how to use this InSpec audit resource.
51
-
52
- ### Disallow access keys created more than 90 days ago
53
-
54
- describe aws_iam_access_keys.where { created_days_ago > 90 } do
55
- it { should_not exist }
56
- end
57
-
58
- <br>
59
-
60
- ## Filter Criteria
61
- * `active`, `create_date`, `created_days_ago`, `created_hours_ago`, `created_with_user`, `ever_used`, `inactive`, `last_used_date`, `last_used_hours_ago`, `last_used_days_ago`, `never_used`, `user_created_date`
62
-
63
- <br>
64
-
65
- ## Filter Examples
66
-
67
- ### active
68
-
69
- A true / false value indicating if an Access Key is currently "Active" (the normal state) in the AWS console. See also: `inactive`.
70
-
71
- # Check if a particular key is enabled
72
- describe aws_iam_access_keys.where { active } do
73
- its('access_key_ids') { should include('AKIA1234567890ABCDEF')}
74
- end
75
-
76
- ### create\_date
77
-
78
- A DateTime identifying when the Access Key was created. See also `created_days_ago` and `created_hours_ago`.
79
-
80
- # Detect keys older than 2017
81
- describe aws_iam_access_keys.where { create_date < DateTime.parse('2017-01-01') } do
82
- it { should_not exist }
83
- end
84
-
85
- ### created\_days\_ago, created\_hours\_ago
86
-
87
- An integer, representing how old the access key is.
88
-
89
- # Don't allow keys that are older than 90 days
90
- describe aws_iam_access_keys.where { created_days_ago > 90 } do
91
- it { should_not exist }
92
- end
93
-
94
- ### created\_with\_user
95
-
96
- A true / false value indicating if the Access Key was likely created at the same time as the user, by checking if the difference between created_date and user_created_date is less than 1 hour.
97
-
98
- # Do not automatically create keys for users
99
- describe aws_iam_access_keys.where { created_with_user } do
100
- it { should_not exist }
101
- end
102
-
103
- ### ever\_used
104
-
105
- A true / false value indicating if the Access Key has ever been used, based on the last_used_date. See also: `never_used`.
106
-
107
- # Check to see if a particular key has ever been used
108
- describe aws_iam_access_keys.where { ever_used } do
109
- its('access_key_ids') { should include('AKIA1234567890ABCDEF')}
110
- end
111
-
112
- ### inactive
113
-
114
- A true / false value indicating if the Access Key has been marked Inactive in the AWS console. See also: `active`.
115
-
116
- # Don't leave inactive keys laying around
117
- describe aws_iam_access_keys.where { inactive } do
118
- it { should_not exist }
119
- end
120
-
121
- ### last\_used\_date
122
-
123
- A DateTime identifying when the Access Key was last used. Returns nil if the key has never been used. See also: `ever_used`, `last_used_days_ago`, `last_used_hours_ago`, and `never_used`.
124
-
125
- # No one should do anything on Mondays
126
- describe aws_iam_access_keys.where { ever_used and last_used_date.monday? } do
127
- it { should_not exist }
128
- end
129
-
130
- ### last\_used\_days\_ago, last\_used\_hours\_ago
131
-
132
- An integer representing when the key was last used. See also: `ever_used`, `last_used_date`, and `never_used`.
133
-
134
- # Don't allow keys that sit unused for more than 90 days
135
- describe aws_iam_access_keys.where { last_used_days_ago > 90 } do
136
- it { should_not exist }
137
- end
138
-
139
- ### never\_used
140
-
141
- A true / false value indicating if the Access Key has never been used, based on the `last_used_date`. See also: `ever_used`.
142
-
143
- # Don't allow unused keys to lay around
144
- describe aws_iam_access_keys.where { never_used } do
145
- it { should_not exist }
146
- end
147
-
148
- ### username
149
-
150
- Searches for access keys owned by the named user. Each user may have zero, one, or two access keys.
151
-
152
- describe aws_iam_access_keys(username: 'bob') do
153
- it { should exist }
154
- end
155
-
156
- ### user\_created\_date
157
-
158
- The date at which the user was created.
159
-
160
- # Users have to be a week old to have a key
161
- describe aws_iam_access_keys.where { user_created_date > Date.now - 7 }
162
- it { should_not exist }
163
- end
164
-
165
- <br>
166
-
167
- ## Properties
168
-
169
- * `access_key_ids`, `entries`
170
-
171
- ## Property Examples
172
-
173
- ### access\_key\_ids
174
-
175
- Provides a list of all access key IDs matched.
176
-
177
- describe aws_iam_access_keys do
178
- its('access_key_ids') { should include('AKIA1234567890ABCDEF') }
179
- end
180
-
181
- ### entries
182
-
183
- Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
184
-
185
- # Allow at most 100 access keys on the account
186
- describe aws_iam_access_keys do
187
- its('entries.count') { should be <= 100}
188
- end
189
-
190
- <br>
191
-
192
- ## Matchers
193
-
194
- This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
195
-
196
- ### exists
197
-
198
- The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
199
-
200
- # Sally should have at least one access key
201
- describe aws_iam_access_keys.where(username: 'sally') do
202
- it { should exist }
203
- end
204
-
205
- # Don't let fred have access keys
206
- describe aws_iam_access_keys.where(username: 'fred') do
207
- it { should_not exist }
208
- end
209
-
210
- ## AWS Permissions
211
-
212
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:ListAccessKeys`, and `iam:ListUsers` action with Effect set to Allow.
213
-
214
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).
@@ -1,74 +0,0 @@
1
- ---
2
- title: About the aws_iam_group Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_iam\_group
7
-
8
- Use the `aws_iam_group` InSpec audit resource to test properties of a single IAM group.
9
-
10
- To test properties of multiple or all groups, use the `aws_iam_groups` resource.
11
-
12
- <br>
13
-
14
- ## Availability
15
-
16
- ### Installation
17
-
18
- This resource is distributed along with InSpec itself. You can use it automatically.
19
-
20
- ### Version
21
-
22
- This resource first became available in v2.0.16 of InSpec.
23
-
24
- ## Syntax
25
-
26
- An `aws_iam_group` resource block identifies a group by group name.
27
-
28
- # Find a group by group name
29
- describe aws_iam_group('mygroup') do
30
- it { should exist }
31
- end
32
-
33
- # Hash syntax for group name
34
- describe aws_iam_group(group_name: 'mygroup') do
35
- it { should exist }
36
- end
37
-
38
- <br>
39
-
40
- ## Examples
41
-
42
- The following examples show how to use this InSpec audit resource.
43
-
44
- As this is the initial release of `aws_iam_group`, its limited functionality precludes examples.
45
-
46
- <br>
47
-
48
- ## Properties
49
-
50
- ### users
51
-
52
- Provides a list of the users that are attached to the group
53
-
54
- describe aws_iam_group('mygroup')
55
- its('users') { should include 'iam_user_name' }
56
- end
57
-
58
- <br>
59
-
60
- ## Matchers
61
-
62
- ### exists
63
-
64
- The control will pass if a group with the given group name exists.
65
-
66
- describe aws_iam_group('mygroup')
67
- it { should exist }
68
- end
69
-
70
- ## AWS Permissions
71
-
72
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetGroup` action with Effect set to Allow.
73
-
74
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).
@@ -1,92 +0,0 @@
1
- ---
2
- title: About the aws_iam_groups Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_iam\_groups
7
-
8
- Use the `aws_iam_groups` InSpec audit resource to test properties of all or multiple groups.
9
-
10
- To test properties of a single group, use the `aws_iam_group` resource.
11
-
12
- <br>
13
-
14
- ## Availability
15
-
16
- ### Installation
17
-
18
- This resource is distributed along with InSpec itself. You can use it automatically.
19
-
20
- ### Version
21
-
22
- This resource first became available in v2.0.16 of InSpec.
23
-
24
- ## Syntax
25
-
26
- An `aws_iam_groups` resource block uses an optional filter to select a collection of IAM groups and then tests that collection.
27
-
28
- # The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
29
- describe aws_iam_groups do
30
- it { should exist }
31
- end
32
-
33
- <br>
34
-
35
- ## Examples
36
-
37
- The following examples show how to use this InSpec audit resource.
38
-
39
- As this is the initial release of `aws_iam_groups`, its limited functionality precludes examples.
40
-
41
- <br>
42
-
43
- ## Filter Criteria
44
-
45
- ### group_name
46
-
47
- Filters the IAM groups by their group name, a string. If you know the exact group name, use `aws_iam_group` (singular) instead. This criteria may be used when you know a pattern of the name.
48
-
49
- # Use a regex to find groups ending with 'Admins'
50
- describe aws_iam_groups.where(group_name: /Admins$/) do
51
- its('group_names') { should include 'FriendlyAdmins' }
52
- its('group_names') { shoud_not include 'ShunnedAdmins' }
53
- end
54
-
55
- ## Properties
56
-
57
- ### group_names
58
-
59
- An Array of Strings, reflecting the IAM group names matched by the filter. If no groups matched, this will be empty. You can also use this with `aws_iam_group` to enumerate groups.
60
-
61
- # Check for friendly people
62
- describe aws_iam_groups.where(group_name: /Admins$/) do
63
- its('group_names') { should include 'FriendlyAdmins' }
64
- its('group_names') { should include 'KindAdmins' }
65
- end
66
-
67
- # Use to loop and fetch groups individually for auditing in detail
68
- # Without a `where`, this fetches all groups
69
- aws_iam_groups.group_names.each do |group_names|
70
- # A roundabout way of saying "bob should not be in any groups"
71
- describe aws_iam_group(group_name) do
72
- its('users') { should_not include 'bob' }
73
- end
74
- end
75
-
76
- ## Matchers
77
-
78
- This resource has no resource-specific matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
79
-
80
- ### exists
81
-
82
- The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
83
-
84
- describe aws_iam_groups
85
- it { should exist }
86
- end
87
-
88
- ## AWS Permissions
89
-
90
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:ListGroups` action with Effect set to Allow.
91
-
92
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).
@@ -1,92 +0,0 @@
1
- ---
2
- title: About the aws_iam_password_policy Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_iam\_password\_policy
7
-
8
- Use the `aws_iam_password_policy` InSpec audit resource to test properties of the AWS IAM Password Policy.
9
-
10
- <br>
11
-
12
- ## Availability
13
-
14
- ### Installation
15
-
16
- This resource is distributed along with InSpec itself. You can use it automatically.
17
-
18
- ### Version
19
-
20
- This resource first became available in v2.0.16 of InSpec.
21
-
22
- ## Syntax
23
-
24
- An `aws_iam_password_policy` resource block takes no parameters. Several properties and matchers are available.
25
-
26
- describe aws_iam_password_policy do
27
- it { should require_lowercase_characters }
28
- end
29
-
30
- <br>
31
-
32
- ## Properties
33
-
34
- * `max_password_age_in_days`, `minimum_password_length`, `number_of_passwords_to_remember`
35
-
36
- ## Examples
37
-
38
- The following examples show how to use this InSpec audit resource.
39
-
40
- ### Test that the IAM Password Policy requires lowercase characters, uppercase characters, numbers, symbols, and a minimum length greater than eight
41
-
42
- describe aws_iam_password_policy do
43
- it { should require_lowercase_characters }
44
- it { should require_uppercase_characters }
45
- it { should require_symbols }
46
- it { should require_numbers }
47
- its('minimum_password_length') { should be > 8 }
48
- end
49
-
50
- ### Test that the IAM Password Policy allows users to change their password
51
-
52
- describe aws_iam_password_policy do
53
- it { should allow_users_to_change_passwords }
54
- end
55
-
56
- ### Test that the IAM Password Policy expires passwords
57
-
58
- describe aws_iam_password_policy do
59
- it { should expire_passwords }
60
- end
61
-
62
- ### Test that the IAM Password Policy has a max password age
63
-
64
- describe aws_iam_password_policy do
65
- its('max_password_age_in_days') { should be 90 }
66
- end
67
-
68
- ### Test that the IAM Password Policy prevents password reuse
69
-
70
- describe aws_iam_password_policy do
71
- it { should prevent_password_reuse }
72
- end
73
-
74
- ### Test that the IAM Password Policy requires users to remember 3 previous passwords
75
-
76
- describe aws_iam_password_policy do
77
- its('number_of_passwords_to_remember') { should eq 3 }
78
- end
79
-
80
- <br>
81
-
82
- ## Matchers
83
-
84
- This resource uses the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
85
-
86
- * `allows_users_to_change_passwords`, `expire_passwords`, `prevent_password_reuse`, `require_lowercase_characters` , `require_uppercase_characters`, `require_numbers`, `require_symbols`
87
-
88
- ## AWS Permissions
89
-
90
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetAccountPasswordPolicy` action with Effect set to Allow.
91
-
92
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).