inspec 2.3.10 → 2.3.23

Sign up to get free protection for your applications and to get access to all the features.
Files changed (271) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +34 -13
  3. data/etc/plugin_filters.json +25 -0
  4. data/inspec.gemspec +3 -3
  5. data/lib/bundles/inspec-compliance/api.rb +3 -0
  6. data/lib/bundles/inspec-compliance/configuration.rb +3 -0
  7. data/lib/bundles/inspec-compliance/http.rb +3 -0
  8. data/lib/bundles/inspec-compliance/support.rb +3 -0
  9. data/lib/bundles/inspec-compliance/target.rb +3 -0
  10. data/lib/inspec/objects/attribute.rb +3 -0
  11. data/lib/inspec/plugin/v2.rb +3 -0
  12. data/lib/inspec/plugin/v2/filter.rb +62 -0
  13. data/lib/inspec/plugin/v2/installer.rb +21 -1
  14. data/lib/inspec/plugin/v2/loader.rb +4 -0
  15. data/lib/inspec/profile.rb +3 -1
  16. data/lib/inspec/version.rb +1 -1
  17. data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +25 -3
  18. data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +65 -11
  19. data/lib/plugins/inspec-plugin-manager-cli/test/unit/cli_args_test.rb +5 -1
  20. data/lib/resources/package.rb +1 -1
  21. metadata +5 -253
  22. data/MAINTAINERS.toml +0 -52
  23. data/docs/.gitignore +0 -2
  24. data/docs/README.md +0 -41
  25. data/docs/dev/control-eval.md +0 -62
  26. data/docs/dev/filtertable-internals.md +0 -353
  27. data/docs/dev/filtertable-usage.md +0 -533
  28. data/docs/dev/integration-testing.md +0 -31
  29. data/docs/dev/plugins.md +0 -323
  30. data/docs/dsl_inspec.md +0 -354
  31. data/docs/dsl_resource.md +0 -100
  32. data/docs/glossary.md +0 -381
  33. data/docs/habitat.md +0 -193
  34. data/docs/inspec_and_friends.md +0 -114
  35. data/docs/matchers.md +0 -161
  36. data/docs/migration.md +0 -293
  37. data/docs/platforms.md +0 -119
  38. data/docs/plugin_kitchen_inspec.md +0 -60
  39. data/docs/plugins.md +0 -57
  40. data/docs/profiles.md +0 -576
  41. data/docs/reporters.md +0 -170
  42. data/docs/resources/aide_conf.md.erb +0 -86
  43. data/docs/resources/apache.md.erb +0 -77
  44. data/docs/resources/apache_conf.md.erb +0 -78
  45. data/docs/resources/apt.md.erb +0 -81
  46. data/docs/resources/audit_policy.md.erb +0 -57
  47. data/docs/resources/auditd.md.erb +0 -89
  48. data/docs/resources/auditd_conf.md.erb +0 -78
  49. data/docs/resources/aws_cloudtrail_trail.md.erb +0 -165
  50. data/docs/resources/aws_cloudtrail_trails.md.erb +0 -96
  51. data/docs/resources/aws_cloudwatch_alarm.md.erb +0 -101
  52. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +0 -164
  53. data/docs/resources/aws_config_delivery_channel.md.erb +0 -111
  54. data/docs/resources/aws_config_recorder.md.erb +0 -96
  55. data/docs/resources/aws_ebs_volume.md.erb +0 -76
  56. data/docs/resources/aws_ebs_volumes.md.erb +0 -86
  57. data/docs/resources/aws_ec2_instance.md.erb +0 -122
  58. data/docs/resources/aws_ec2_instances.md.erb +0 -89
  59. data/docs/resources/aws_elb.md.erb +0 -154
  60. data/docs/resources/aws_elbs.md.erb +0 -252
  61. data/docs/resources/aws_flow_log.md.erb +0 -128
  62. data/docs/resources/aws_iam_access_key.md.erb +0 -139
  63. data/docs/resources/aws_iam_access_keys.md.erb +0 -214
  64. data/docs/resources/aws_iam_group.md.erb +0 -74
  65. data/docs/resources/aws_iam_groups.md.erb +0 -92
  66. data/docs/resources/aws_iam_password_policy.md.erb +0 -92
  67. data/docs/resources/aws_iam_policies.md.erb +0 -97
  68. data/docs/resources/aws_iam_policy.md.erb +0 -264
  69. data/docs/resources/aws_iam_role.md.erb +0 -79
  70. data/docs/resources/aws_iam_root_user.md.erb +0 -86
  71. data/docs/resources/aws_iam_user.md.erb +0 -130
  72. data/docs/resources/aws_iam_users.md.erb +0 -289
  73. data/docs/resources/aws_kms_key.md.erb +0 -187
  74. data/docs/resources/aws_kms_keys.md.erb +0 -99
  75. data/docs/resources/aws_rds_instance.md.erb +0 -76
  76. data/docs/resources/aws_route_table.md.erb +0 -63
  77. data/docs/resources/aws_route_tables.md.erb +0 -65
  78. data/docs/resources/aws_s3_bucket.md.erb +0 -156
  79. data/docs/resources/aws_s3_bucket_object.md.erb +0 -99
  80. data/docs/resources/aws_s3_buckets.md.erb +0 -69
  81. data/docs/resources/aws_security_group.md.erb +0 -323
  82. data/docs/resources/aws_security_groups.md.erb +0 -107
  83. data/docs/resources/aws_sns_subscription.md.erb +0 -140
  84. data/docs/resources/aws_sns_topic.md.erb +0 -79
  85. data/docs/resources/aws_sns_topics.md.erb +0 -68
  86. data/docs/resources/aws_subnet.md.erb +0 -150
  87. data/docs/resources/aws_subnets.md.erb +0 -142
  88. data/docs/resources/aws_vpc.md.erb +0 -135
  89. data/docs/resources/aws_vpcs.md.erb +0 -135
  90. data/docs/resources/azure_generic_resource.md.erb +0 -183
  91. data/docs/resources/azure_resource_group.md.erb +0 -294
  92. data/docs/resources/azure_virtual_machine.md.erb +0 -357
  93. data/docs/resources/azure_virtual_machine_data_disk.md.erb +0 -234
  94. data/docs/resources/bash.md.erb +0 -85
  95. data/docs/resources/bond.md.erb +0 -100
  96. data/docs/resources/bridge.md.erb +0 -67
  97. data/docs/resources/bsd_service.md.erb +0 -77
  98. data/docs/resources/chocolatey_package.md.erb +0 -68
  99. data/docs/resources/command.md.erb +0 -176
  100. data/docs/resources/cpan.md.erb +0 -89
  101. data/docs/resources/cran.md.erb +0 -74
  102. data/docs/resources/crontab.md.erb +0 -103
  103. data/docs/resources/csv.md.erb +0 -64
  104. data/docs/resources/dh_params.md.erb +0 -221
  105. data/docs/resources/directory.md.erb +0 -40
  106. data/docs/resources/docker.md.erb +0 -240
  107. data/docs/resources/docker_container.md.erb +0 -113
  108. data/docs/resources/docker_image.md.erb +0 -104
  109. data/docs/resources/docker_plugin.md.erb +0 -80
  110. data/docs/resources/docker_service.md.erb +0 -124
  111. data/docs/resources/elasticsearch.md.erb +0 -252
  112. data/docs/resources/etc_fstab.md.erb +0 -135
  113. data/docs/resources/etc_group.md.erb +0 -85
  114. data/docs/resources/etc_hosts.md.erb +0 -88
  115. data/docs/resources/etc_hosts_allow.md.erb +0 -84
  116. data/docs/resources/etc_hosts_deny.md.erb +0 -84
  117. data/docs/resources/file.md.erb +0 -543
  118. data/docs/resources/filesystem.md.erb +0 -51
  119. data/docs/resources/firewalld.md.erb +0 -117
  120. data/docs/resources/gem.md.erb +0 -108
  121. data/docs/resources/group.md.erb +0 -71
  122. data/docs/resources/grub_conf.md.erb +0 -111
  123. data/docs/resources/host.md.erb +0 -96
  124. data/docs/resources/http.md.erb +0 -207
  125. data/docs/resources/iis_app.md.erb +0 -132
  126. data/docs/resources/iis_site.md.erb +0 -145
  127. data/docs/resources/inetd_conf.md.erb +0 -104
  128. data/docs/resources/ini.md.erb +0 -86
  129. data/docs/resources/interface.md.erb +0 -68
  130. data/docs/resources/iptables.md.erb +0 -74
  131. data/docs/resources/json.md.erb +0 -73
  132. data/docs/resources/kernel_module.md.erb +0 -130
  133. data/docs/resources/kernel_parameter.md.erb +0 -63
  134. data/docs/resources/key_rsa.md.erb +0 -95
  135. data/docs/resources/launchd_service.md.erb +0 -67
  136. data/docs/resources/limits_conf.md.erb +0 -85
  137. data/docs/resources/login_defs.md.erb +0 -81
  138. data/docs/resources/mount.md.erb +0 -79
  139. data/docs/resources/mssql_session.md.erb +0 -78
  140. data/docs/resources/mysql_conf.md.erb +0 -109
  141. data/docs/resources/mysql_session.md.erb +0 -84
  142. data/docs/resources/nginx.md.erb +0 -89
  143. data/docs/resources/nginx_conf.md.erb +0 -148
  144. data/docs/resources/npm.md.erb +0 -78
  145. data/docs/resources/ntp_conf.md.erb +0 -70
  146. data/docs/resources/oneget.md.erb +0 -63
  147. data/docs/resources/oracledb_session.md.erb +0 -103
  148. data/docs/resources/os.md.erb +0 -153
  149. data/docs/resources/os_env.md.erb +0 -101
  150. data/docs/resources/package.md.erb +0 -130
  151. data/docs/resources/packages.md.erb +0 -77
  152. data/docs/resources/parse_config.md.erb +0 -113
  153. data/docs/resources/parse_config_file.md.erb +0 -148
  154. data/docs/resources/passwd.md.erb +0 -151
  155. data/docs/resources/pip.md.erb +0 -77
  156. data/docs/resources/port.md.erb +0 -147
  157. data/docs/resources/postgres_conf.md.erb +0 -89
  158. data/docs/resources/postgres_hba_conf.md.erb +0 -103
  159. data/docs/resources/postgres_ident_conf.md.erb +0 -86
  160. data/docs/resources/postgres_session.md.erb +0 -79
  161. data/docs/resources/powershell.md.erb +0 -112
  162. data/docs/resources/processes.md.erb +0 -119
  163. data/docs/resources/rabbitmq_config.md.erb +0 -51
  164. data/docs/resources/registry_key.md.erb +0 -197
  165. data/docs/resources/runit_service.md.erb +0 -67
  166. data/docs/resources/security_policy.md.erb +0 -57
  167. data/docs/resources/service.md.erb +0 -131
  168. data/docs/resources/shadow.md.erb +0 -267
  169. data/docs/resources/ssh_config.md.erb +0 -83
  170. data/docs/resources/sshd_config.md.erb +0 -93
  171. data/docs/resources/ssl.md.erb +0 -129
  172. data/docs/resources/sys_info.md.erb +0 -52
  173. data/docs/resources/systemd_service.md.erb +0 -67
  174. data/docs/resources/sysv_service.md.erb +0 -67
  175. data/docs/resources/upstart_service.md.erb +0 -67
  176. data/docs/resources/user.md.erb +0 -150
  177. data/docs/resources/users.md.erb +0 -137
  178. data/docs/resources/vbscript.md.erb +0 -65
  179. data/docs/resources/virtualization.md.erb +0 -67
  180. data/docs/resources/windows_feature.md.erb +0 -69
  181. data/docs/resources/windows_hotfix.md.erb +0 -63
  182. data/docs/resources/windows_task.md.erb +0 -95
  183. data/docs/resources/wmi.md.erb +0 -91
  184. data/docs/resources/x509_certificate.md.erb +0 -161
  185. data/docs/resources/xinetd_conf.md.erb +0 -166
  186. data/docs/resources/xml.md.erb +0 -95
  187. data/docs/resources/yaml.md.erb +0 -79
  188. data/docs/resources/yum.md.erb +0 -108
  189. data/docs/resources/zfs_dataset.md.erb +0 -63
  190. data/docs/resources/zfs_pool.md.erb +0 -57
  191. data/docs/shared/matcher_be.md.erb +0 -1
  192. data/docs/shared/matcher_cmp.md.erb +0 -43
  193. data/docs/shared/matcher_eq.md.erb +0 -3
  194. data/docs/shared/matcher_include.md.erb +0 -1
  195. data/docs/shared/matcher_match.md.erb +0 -1
  196. data/docs/shell.md +0 -217
  197. data/docs/style.md +0 -178
  198. data/examples/README.md +0 -8
  199. data/examples/custom-resource/README.md +0 -3
  200. data/examples/custom-resource/controls/example.rb +0 -7
  201. data/examples/custom-resource/inspec.yml +0 -8
  202. data/examples/custom-resource/libraries/batsignal.rb +0 -20
  203. data/examples/custom-resource/libraries/gordon.rb +0 -21
  204. data/examples/inheritance/README.md +0 -65
  205. data/examples/inheritance/controls/example.rb +0 -14
  206. data/examples/inheritance/inspec.yml +0 -16
  207. data/examples/kitchen-ansible/.kitchen.yml +0 -25
  208. data/examples/kitchen-ansible/Gemfile +0 -19
  209. data/examples/kitchen-ansible/README.md +0 -53
  210. data/examples/kitchen-ansible/files/nginx.repo +0 -6
  211. data/examples/kitchen-ansible/tasks/main.yml +0 -16
  212. data/examples/kitchen-ansible/test/integration/default/default.yml +0 -5
  213. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -28
  214. data/examples/kitchen-chef/.kitchen.yml +0 -20
  215. data/examples/kitchen-chef/Berksfile +0 -3
  216. data/examples/kitchen-chef/Gemfile +0 -19
  217. data/examples/kitchen-chef/README.md +0 -27
  218. data/examples/kitchen-chef/metadata.rb +0 -7
  219. data/examples/kitchen-chef/recipes/default.rb +0 -6
  220. data/examples/kitchen-chef/recipes/nginx.rb +0 -30
  221. data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -28
  222. data/examples/kitchen-puppet/.kitchen.yml +0 -23
  223. data/examples/kitchen-puppet/Gemfile +0 -20
  224. data/examples/kitchen-puppet/Puppetfile +0 -25
  225. data/examples/kitchen-puppet/README.md +0 -53
  226. data/examples/kitchen-puppet/manifests/site.pp +0 -33
  227. data/examples/kitchen-puppet/metadata.json +0 -11
  228. data/examples/kitchen-puppet/modules/.gitkeep +0 -0
  229. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -28
  230. data/examples/meta-profile/README.md +0 -37
  231. data/examples/meta-profile/controls/example.rb +0 -13
  232. data/examples/meta-profile/inspec.yml +0 -13
  233. data/examples/plugins/inspec-resource-lister/Gemfile +0 -12
  234. data/examples/plugins/inspec-resource-lister/LICENSE +0 -13
  235. data/examples/plugins/inspec-resource-lister/README.md +0 -62
  236. data/examples/plugins/inspec-resource-lister/Rakefile +0 -40
  237. data/examples/plugins/inspec-resource-lister/inspec-resource-lister.gemspec +0 -45
  238. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister.rb +0 -16
  239. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/cli_command.rb +0 -70
  240. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/plugin.rb +0 -55
  241. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/version.rb +0 -10
  242. data/examples/plugins/inspec-resource-lister/test/fixtures/README.md +0 -24
  243. data/examples/plugins/inspec-resource-lister/test/functional/README.md +0 -18
  244. data/examples/plugins/inspec-resource-lister/test/functional/inspec_resource_lister_test.rb +0 -110
  245. data/examples/plugins/inspec-resource-lister/test/helper.rb +0 -26
  246. data/examples/plugins/inspec-resource-lister/test/unit/README.md +0 -17
  247. data/examples/plugins/inspec-resource-lister/test/unit/cli_args_test.rb +0 -64
  248. data/examples/plugins/inspec-resource-lister/test/unit/plugin_def_test.rb +0 -51
  249. data/examples/profile-attribute.yml +0 -2
  250. data/examples/profile-attribute/README.md +0 -14
  251. data/examples/profile-attribute/controls/example.rb +0 -11
  252. data/examples/profile-attribute/inspec.yml +0 -8
  253. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +0 -8
  254. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +0 -8
  255. data/examples/profile-aws/controls/iam_root_user_mfa.rb +0 -8
  256. data/examples/profile-aws/controls/iam_users_access_key_age.rb +0 -8
  257. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +0 -8
  258. data/examples/profile-aws/inspec.yml +0 -11
  259. data/examples/profile-azure/controls/azure_resource_group_example.rb +0 -24
  260. data/examples/profile-azure/controls/azure_vm_example.rb +0 -29
  261. data/examples/profile-azure/inspec.yml +0 -11
  262. data/examples/profile-sensitive/README.md +0 -29
  263. data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -9
  264. data/examples/profile-sensitive/controls/sensitive.rb +0 -9
  265. data/examples/profile-sensitive/inspec.yml +0 -8
  266. data/examples/profile/README.md +0 -48
  267. data/examples/profile/controls/example.rb +0 -24
  268. data/examples/profile/controls/gordon.rb +0 -36
  269. data/examples/profile/controls/meta.rb +0 -36
  270. data/examples/profile/inspec.yml +0 -11
  271. data/examples/profile/libraries/gordon_config.rb +0 -59
@@ -1,97 +0,0 @@
1
- ---
2
- title: About the aws_iam_policies Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_iam\_policies
7
-
8
- Use the `aws_iam_policies` InSpec audit resource to test properties of some or all AWS IAM Policies.
9
-
10
- A policy is an entity in AWS that, when attached to an identity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine if the request is allowed or denied.
11
-
12
- Each IAM Policy is uniquely identified by either its `policy_name` or `arn`.
13
-
14
- <br>
15
-
16
- ## Availability
17
-
18
- ### Installation
19
-
20
- This resource is distributed along with InSpec itself. You can use it automatically.
21
-
22
- ### Version
23
-
24
- This resource first became available in v2.0.16 of InSpec.
25
-
26
- ## Syntax
27
-
28
- An `aws_iam_policies` resource block collects a group of IAM Policies and then tests that group.
29
-
30
- # Verify the policy specified by the policy name is included in IAM Policies in the AWS account.
31
- describe aws_iam_policies do
32
- its('policy_names') { should include('test-policy-1') }
33
- end
34
-
35
- <br>
36
-
37
- ## Examples
38
-
39
- The following examples show how to use this InSpec audit resource.
40
-
41
- As this is the initial release of `aws_iam_policies`, its limited functionality precludes examples.
42
-
43
- <br>
44
-
45
- ## Properties
46
-
47
- * `arns`, `entries`, `policy_names`
48
-
49
- <br>
50
-
51
- ## Property Examples
52
-
53
- ### policy\_names
54
-
55
- Provides a list of policy names for all IAM Policies in the AWS account.
56
-
57
- describe aws_iam_policies do
58
- its('policy_names') { should include('test-policy-1') }
59
- end
60
-
61
- ### arns
62
-
63
- Provides a list of policy arns for all IAM Policies in the AWS account.
64
-
65
- describe aws_iam_policies do
66
- its('arns') { should include('arn:aws:iam::aws:policy/test-policy-1') }
67
- end
68
-
69
- ### entries
70
-
71
- Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
72
-
73
- # Allow at most 100 IAM Policies on the account
74
- describe aws_iam_policies do
75
- its('entries.count') { should be <= 100}
76
- end
77
-
78
- <br>
79
-
80
- ## Matchers
81
-
82
- For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
83
-
84
- ### exists
85
-
86
- The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
87
-
88
- # Verify that at least one IAM Policies exists.
89
- describe aws_iam_policies
90
- it { should exist }
91
- end
92
-
93
- ## AWS Permissions
94
-
95
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:ListPolicies` action with Effect set to Allow.
96
-
97
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).
@@ -1,264 +0,0 @@
1
- ---
2
- title: About the aws_iam_policy Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_iam\_policy
7
-
8
- Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy. Use `aws_iam_policies` to audit IAM policies in bulk.
9
-
10
- A policy defines the permissions of an identity or resource within AWS. AWS evaluates these policies when a principal, such as a user, makes a request. Policy permissions, also called "policy statements" in AWS, determine if a request is authorized -- and allow or deny it accordingly.
11
-
12
- Each IAM Policy is uniquely identified by either its policy\_name or arn.
13
-
14
- <br>
15
-
16
- ## Availability
17
-
18
- ### Installation
19
-
20
- This resource is distributed along with InSpec itself. You can use it automatically.
21
-
22
- ### Version
23
-
24
- This resource first became available in v2.0.16 of InSpec.
25
-
26
- ## Syntax
27
-
28
- An `aws_iam_policy` resource block identifies a policy by policy name.
29
-
30
- # Find a policy by name
31
- describe aws_iam_policy('AWSSupportAccess') do
32
- it { should exist }
33
- end
34
-
35
- # Find a customer-managed by name
36
- describe aws_iam_policy('customer-managed-policy') do
37
- it { should exist }
38
- end
39
-
40
- # Hash syntax for policy name
41
- describe aws_iam_policy(policy_name: 'AWSSupportAccess') do
42
- it { should exist }
43
- end
44
-
45
- <br>
46
-
47
- ## Examples
48
-
49
- The following examples show how to use this InSpec audit resource.
50
-
51
- ### Test that a policy does exist
52
-
53
- describe aws_iam_policy('AWSSupportAccess') do
54
- it { should exist }
55
- end
56
-
57
- ### Test that a policy is attached to at least one entity
58
-
59
- describe aws_iam_policy('AWSSupportAccess') do
60
- it { should be_attached }
61
- end
62
-
63
- ### Examine the policy statements
64
-
65
- describe aws_iam_policy('my-policy') do
66
- # Verify that there is at least one statement allowing access to S3
67
- it { should have_statement(Action: 's3:PutObject', Effect: 'allow') }
68
-
69
- # have_statement does not expand wildcards. If you want to verify
70
- # they are absent, an explicit check is required.
71
- it { should_not have_statement(Action: 's3:*') }
72
- end
73
-
74
- <br>
75
-
76
- ## Properties
77
-
78
- * `arn`, `attachment_count`, `attached_groups`, `attached_roles`,`attached_users`, `default_version_id`, `policy`, `statement_count`
79
-
80
- ## Property Examples
81
-
82
- ### arn
83
-
84
- "The ARN identifier of the specified policy. An ARN uniquely identifies the policy within AWS."
85
-
86
- describe aws_iam_policy('AWSSupportAccess') do
87
- its('arn') { should cmp "arn:aws:iam::aws:policy/AWSSupportAccess" }
88
- end
89
-
90
- ### attachment\_count
91
-
92
- The count of attached entities for the specified policy.
93
-
94
- describe aws_iam_policy('AWSSupportAccess') do
95
- its('attachment_count') { should cmp 1 }
96
- end
97
-
98
- ### attached\_groups
99
-
100
- The list of groupnames of the groups attached to the policy.
101
-
102
- describe aws_iam_policy('AWSSupportAccess') do
103
- its('attached_groups') { should include "test-group" }
104
- end
105
-
106
- ### attached\_roles
107
-
108
- The list of rolenames of the roles attached to the policy.
109
-
110
- describe aws_iam_policy('AWSSupportAccess') do
111
- its('attached_roles') { should include "test-role" }
112
- end
113
-
114
- ### attached\_users
115
-
116
- The list of usernames of the users attached to the policy.
117
-
118
- describe aws_iam_policy('AWSSupportAccess') do
119
- its('attached_users') { should include "test-user" }
120
- end
121
-
122
- ### default\_version\_id
123
-
124
- The 'default_version_id' value of the specified policy.
125
-
126
- describe aws_iam_policy('AWSSupportAccess') do
127
- its('default_version_id') { should cmp "v1" }
128
- end
129
-
130
- ### policy
131
-
132
- This is a low-level, unsupported property.
133
-
134
- Returns the default version of the policy document after decoding as a Ruby hash. This hash contains the policy statements and is useful for performing checks that cannot be expressed using higher-level matchers like `have_statement`.
135
-
136
- For details regarding the contents of this structure, refer to the [AWS IAM Policy JSON Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html). A set of examples is [also available](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html).
137
-
138
- Example:
139
-
140
- # Fetch the policy structure as a Ruby object
141
- policy_struct = aws_iam_policy('my-policy').policy
142
- # Write a manually-constructed test to check that the policy
143
- # has an IP constraint on the first statement
144
- # ( Based on https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html )
145
- describe 'Check that we are restricting IP access' do
146
- subject { policy_struct['Statement'].first['Condition'] }
147
- it { should include 'NotIpAddress' }
148
- end
149
-
150
- ### statement\_count
151
-
152
- Returns the number of statements present in the `policy`.
153
-
154
- # Make sure there are exactly two statements.
155
- describe aws_iam_policy('my-policy') do
156
- its('statement_count') { should cmp 2 }
157
- end
158
-
159
- ## Matchers
160
-
161
- This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
162
-
163
- ### be\_attached
164
-
165
- The test will pass if the identified policy is attached to at least one IAM user, group, or role.
166
-
167
- describe aws_iam_policy('AWSSupportAccess') do
168
- it { should be_attached }
169
- end
170
-
171
- ### be\_attached\_to\_group(GROUPNAME)
172
-
173
- The test will pass if the identified policy attached the specified group.
174
-
175
- describe aws_iam_policy('AWSSupportAccess') do
176
- it { should be_attached_to_group(GROUPNAME) }
177
- end
178
-
179
- ### be\_attached\_to\_user(USERNAME)
180
-
181
- The test will pass if the identified policy attached the specified user.
182
-
183
- describe aws_iam_policy('AWSSupportAccess') do
184
- it { should be_attached_to_user(USERNAME) }
185
- end
186
-
187
- ### be\_attached\_to\_role(ROLENAME)
188
-
189
- The test will pass if the identified policy attached the specified role.
190
-
191
- describe aws_iam_policy('AWSSupportAccess') do
192
- it { should be_attached_to_role(ROLENAME) }
193
- end
194
-
195
- ### have\_statement
196
-
197
- Examines the list of statements contained in the policy and passes if at least one of the statements matches. This matcher does _not_ interpret the policy in a request authorization context, as AWS does when a request processed. Rather, `have_statement` examines the literal contents of the IAM policy, and reports on what is present (or absent, when used with `should_not`).
198
-
199
- `have_statement` accepts the following criteria to search for matching statements. If any statement matches all the criteria, the test is successful. All criteria may be used as Titlecase (as in the AWS examples) or lowercase, string or symbol.
200
-
201
- * `Action` - Expresses the requested operation. Acceptable literal values are any AWS operation name, including the '*' wildcard character. `Action` may also use a list of AWS operation names.
202
- * `Effect` - Expresses if the operation is permitted. Acceptable values are 'Deny' and 'Allow'.
203
- * `Sid` - A user-provided string identifier for the statement.
204
- * `Resource` - Expresses the operation's target. Acceptable values are ARNs, including the '*' wildcard. `Resource` may also use a list of ARN values.
205
-
206
- Please note the following about the behavior of `have_statement`:
207
- * `Action`, `Sid`, and `Resource` allow using a regular expression as the search critera instead of a string literal.
208
- * it does not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with `"Action": "s3:*"` and the test checks for `Action: "s3:PutObject"`, the test _will not match_. You must write an additional test checking for the wildcard case.
209
- * it supports searching list values. For example, if a statement contains a list of 3 resources, and a `have_statement` test specifes _one_ of those resources, it will match.
210
- * `Action` and `Resource` allow using a list of string literals or regular expressions in a test, in which case _all_ must match on the _same_ statement for the test to match. Order is ignored.
211
- * it does not support the `[Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)` or `Conditional` key, or any of `NotAction`, `Not[Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)`, or `NotResource`.
212
-
213
- Examples:
214
-
215
- # Verify there is no full-admin statement
216
- describe aws_iam_policy('kryptonite') do
217
- it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')}
218
- end
219
-
220
- # Symbols and lowercase also allowed as criteria
221
- describe aws_iam_policy('kryptonite') do
222
- # All 4 the same
223
- it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')}
224
- it { should_not have_statement('effect' => 'Allow', 'resource' => '*', 'action' => '*')}
225
- it { should_not have_statement(Effect: 'Allow', Resource: '*', Action: '*')}
226
- it { should_not have_statement(effect: 'Allow', resource: '*', action: '*')}
227
- end
228
-
229
- # Verify bob is allowed to manage things on S3 buckets that start with bobs-stuff
230
- describe aws_iam_policy('bob-is-a-packrat') do
231
- it { should have_statement(Effect: 'Allow',
232
- # Using the AWS wildcard - this must match exactly
233
- Resource: 'arn:aws:s3:::bobs-stuff*',
234
- # Specify a list of actions - all must match, no others, order isn't important
235
- Action: ['s3:PutObject', 's3:GetObject', 's3:DeleteObject'])}
236
-
237
- # Bob would make new buckets constantly if we let him.
238
- it { should_not have_statement(Effect: 'Allow', Action: 's3:CreateBucket')}
239
- it { should_not have_statement(Effect: 'Allow', Action: 's3:*')}
240
- it { should_not have_statement(Effect: 'Allow', Action: '*')}
241
-
242
- # An alternative to checking for wildcards is to specify the
243
- # statements you expect, then restrict statement count
244
- its('statement_count') { should cmp 1 }
245
- end
246
-
247
- # Use regular expressions to examine the policy
248
- describe aws_iam_policy('regex-demo') do
249
- # Check to see if anything mentions RDS at all.
250
- # This catches `rds:CreateDBinstance` and `rds:*`, but would not catch '*'.
251
- it { should_not have_statement(Action: /^rds:.+$/)}
252
-
253
- # This policy should refer to both sally and kim's s3 buckets.
254
- # This will only match if there is a statement that refers to both resources.
255
- it { should have_statement(Resource: [/arn:aws:s3.+:sally/, /arn:aws:s3.+:kim/]) }
256
- # The following also matches on a statement mentioning only one of them
257
- it { should have_statement(Resource: /arn:aws:s3.+:(sally|kim)/) }
258
- end
259
-
260
- ## AWS Permissions
261
-
262
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetPolicy`, `iam:ListPolicy`, and `iam:ListEntitiesForPolicy` actions set to allow.
263
-
264
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).
@@ -1,79 +0,0 @@
1
- ---
2
- title: About the aws_iam_role Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_iam\_role
7
-
8
- Use the `aws_iam_role` InSpec audit resource to test properties of a single IAM Role. A Role is a collection of permissions that may be temporarily assumed by a user, EC2 Instance, Lambda Function, or certain other resources.
9
-
10
- <br>
11
-
12
- ## Availability
13
-
14
- ### Installation
15
-
16
- This resource is distributed along with InSpec itself. You can use it automatically.
17
-
18
- ### Version
19
-
20
- This resource first became available in v2.0.16 of InSpec.
21
-
22
- ## Syntax
23
-
24
- # Ensure that a certain role exists by name
25
- describe aws_iam_role('my-role') do
26
- it { should exist }
27
- end
28
-
29
- <br>
30
-
31
- ## Resource Parameters
32
-
33
- ### role\_name
34
-
35
- This resource expects a single parameter that uniquely identifies the IAM Role, the Role Name. You may pass it as a string, or as the value in a hash:
36
-
37
- describe aws_iam_role('my-role') do
38
- it { should exist }
39
- end
40
- # Same
41
- describe aws_iam_role(role_name: 'my-role') do
42
- it { should exist }
43
- end
44
-
45
- <br>
46
-
47
- ## Properties
48
-
49
- ### description
50
-
51
- A textual description of the IAM Role.
52
-
53
- describe aws_iam_role('my-role') do
54
- its('description') { should be('Our most important Role')}
55
- end
56
-
57
- <br>
58
-
59
- ## Matchers
60
-
61
- This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
62
-
63
- ### exist
64
-
65
- Indicates that the Role Name provided was found. Use `should_not` to test for IAM Roles that should not exist.
66
-
67
- describe aws_iam_role('should-be-there') do
68
- it { should exist }
69
- end
70
-
71
- describe aws_iam_role('should-not-be-there') do
72
- it { should_not exist }
73
- end
74
-
75
- ## AWS Permissions
76
-
77
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetRole` action with Effect set to Allow.
78
-
79
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).
@@ -1,86 +0,0 @@
1
- ---
2
- title: About the aws_iam_root_user Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_iam\_root\_user
7
-
8
- Use the `aws_iam_root_user` InSpec audit resource to test properties of the root user (owner of the account).
9
-
10
- To test properties of all or multiple users, use the `aws_iam_users` resource.
11
-
12
- To test properties of a specific AWS user use the `aws_iam_user` resource.
13
-
14
- <br>
15
-
16
- ## Availability
17
-
18
- ### Installation
19
-
20
- This resource is distributed along with InSpec itself. You can use it automatically.
21
-
22
- ### Version
23
-
24
- This resource first became available in v2.0.16 of InSpec.
25
-
26
- ## Syntax
27
-
28
- An `aws_iam_root_user` resource block requires no parameters but has several matchers.
29
-
30
- describe aws_iam_root_user do
31
- it { should have_mfa_enabled }
32
- end
33
-
34
- <br>
35
-
36
- ## Examples
37
-
38
- The following examples show how to use this InSpec audit resource.
39
-
40
- ### Test that the AWS root account has at-least one access key
41
-
42
- describe aws_iam_root_user do
43
- it { should have_access_key }
44
- end
45
-
46
- ### Test that the AWS root account has Multi-Factor Authentication enabled
47
-
48
- describe aws_iam_root_user do
49
- it { should have_mfa_enabled }
50
- end
51
-
52
- <br>
53
-
54
- ## Matchers
55
-
56
- This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
57
-
58
- ### have\_mfa\_enabled
59
-
60
- The `have_mfa_enabled` matcher tests if the AWS root user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.
61
-
62
- it { should have_mfa_enabled }
63
-
64
- ### have\_hardware\_mfa\_enabled
65
-
66
- The `have_hardware_mfa_enabled` matcher tests if the AWS root user has Hardware Multi-Factor Authentication device enabled, requiring them to enter a secondary code when they login to the web console.
67
-
68
- it { should have_hardware_mfa_enabled }
69
-
70
- ### have\_virtual\_mfa\_enabled
71
-
72
- The `have_virtual_mfa_enabled` matcher tests if the AWS root user has Virtual Multi-Factor Authentication device enabled, requiring them to enter a secondary code when they login to the web console.
73
-
74
- it { should have_virtual_mfa_enabled }
75
-
76
- ### have\_access\_key
77
-
78
- The `have_access_key` matcher tests if the AWS root user has at least one access key.
79
-
80
- it { should have_access_key }
81
-
82
- ## AWS Permissions
83
-
84
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetAccountSummary` action with Effect set to Allow.
85
-
86
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).