inspec 2.3.10 → 2.3.23

Sign up to get free protection for your applications and to get access to all the features.
Files changed (271) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +34 -13
  3. data/etc/plugin_filters.json +25 -0
  4. data/inspec.gemspec +3 -3
  5. data/lib/bundles/inspec-compliance/api.rb +3 -0
  6. data/lib/bundles/inspec-compliance/configuration.rb +3 -0
  7. data/lib/bundles/inspec-compliance/http.rb +3 -0
  8. data/lib/bundles/inspec-compliance/support.rb +3 -0
  9. data/lib/bundles/inspec-compliance/target.rb +3 -0
  10. data/lib/inspec/objects/attribute.rb +3 -0
  11. data/lib/inspec/plugin/v2.rb +3 -0
  12. data/lib/inspec/plugin/v2/filter.rb +62 -0
  13. data/lib/inspec/plugin/v2/installer.rb +21 -1
  14. data/lib/inspec/plugin/v2/loader.rb +4 -0
  15. data/lib/inspec/profile.rb +3 -1
  16. data/lib/inspec/version.rb +1 -1
  17. data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +25 -3
  18. data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +65 -11
  19. data/lib/plugins/inspec-plugin-manager-cli/test/unit/cli_args_test.rb +5 -1
  20. data/lib/resources/package.rb +1 -1
  21. metadata +5 -253
  22. data/MAINTAINERS.toml +0 -52
  23. data/docs/.gitignore +0 -2
  24. data/docs/README.md +0 -41
  25. data/docs/dev/control-eval.md +0 -62
  26. data/docs/dev/filtertable-internals.md +0 -353
  27. data/docs/dev/filtertable-usage.md +0 -533
  28. data/docs/dev/integration-testing.md +0 -31
  29. data/docs/dev/plugins.md +0 -323
  30. data/docs/dsl_inspec.md +0 -354
  31. data/docs/dsl_resource.md +0 -100
  32. data/docs/glossary.md +0 -381
  33. data/docs/habitat.md +0 -193
  34. data/docs/inspec_and_friends.md +0 -114
  35. data/docs/matchers.md +0 -161
  36. data/docs/migration.md +0 -293
  37. data/docs/platforms.md +0 -119
  38. data/docs/plugin_kitchen_inspec.md +0 -60
  39. data/docs/plugins.md +0 -57
  40. data/docs/profiles.md +0 -576
  41. data/docs/reporters.md +0 -170
  42. data/docs/resources/aide_conf.md.erb +0 -86
  43. data/docs/resources/apache.md.erb +0 -77
  44. data/docs/resources/apache_conf.md.erb +0 -78
  45. data/docs/resources/apt.md.erb +0 -81
  46. data/docs/resources/audit_policy.md.erb +0 -57
  47. data/docs/resources/auditd.md.erb +0 -89
  48. data/docs/resources/auditd_conf.md.erb +0 -78
  49. data/docs/resources/aws_cloudtrail_trail.md.erb +0 -165
  50. data/docs/resources/aws_cloudtrail_trails.md.erb +0 -96
  51. data/docs/resources/aws_cloudwatch_alarm.md.erb +0 -101
  52. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +0 -164
  53. data/docs/resources/aws_config_delivery_channel.md.erb +0 -111
  54. data/docs/resources/aws_config_recorder.md.erb +0 -96
  55. data/docs/resources/aws_ebs_volume.md.erb +0 -76
  56. data/docs/resources/aws_ebs_volumes.md.erb +0 -86
  57. data/docs/resources/aws_ec2_instance.md.erb +0 -122
  58. data/docs/resources/aws_ec2_instances.md.erb +0 -89
  59. data/docs/resources/aws_elb.md.erb +0 -154
  60. data/docs/resources/aws_elbs.md.erb +0 -252
  61. data/docs/resources/aws_flow_log.md.erb +0 -128
  62. data/docs/resources/aws_iam_access_key.md.erb +0 -139
  63. data/docs/resources/aws_iam_access_keys.md.erb +0 -214
  64. data/docs/resources/aws_iam_group.md.erb +0 -74
  65. data/docs/resources/aws_iam_groups.md.erb +0 -92
  66. data/docs/resources/aws_iam_password_policy.md.erb +0 -92
  67. data/docs/resources/aws_iam_policies.md.erb +0 -97
  68. data/docs/resources/aws_iam_policy.md.erb +0 -264
  69. data/docs/resources/aws_iam_role.md.erb +0 -79
  70. data/docs/resources/aws_iam_root_user.md.erb +0 -86
  71. data/docs/resources/aws_iam_user.md.erb +0 -130
  72. data/docs/resources/aws_iam_users.md.erb +0 -289
  73. data/docs/resources/aws_kms_key.md.erb +0 -187
  74. data/docs/resources/aws_kms_keys.md.erb +0 -99
  75. data/docs/resources/aws_rds_instance.md.erb +0 -76
  76. data/docs/resources/aws_route_table.md.erb +0 -63
  77. data/docs/resources/aws_route_tables.md.erb +0 -65
  78. data/docs/resources/aws_s3_bucket.md.erb +0 -156
  79. data/docs/resources/aws_s3_bucket_object.md.erb +0 -99
  80. data/docs/resources/aws_s3_buckets.md.erb +0 -69
  81. data/docs/resources/aws_security_group.md.erb +0 -323
  82. data/docs/resources/aws_security_groups.md.erb +0 -107
  83. data/docs/resources/aws_sns_subscription.md.erb +0 -140
  84. data/docs/resources/aws_sns_topic.md.erb +0 -79
  85. data/docs/resources/aws_sns_topics.md.erb +0 -68
  86. data/docs/resources/aws_subnet.md.erb +0 -150
  87. data/docs/resources/aws_subnets.md.erb +0 -142
  88. data/docs/resources/aws_vpc.md.erb +0 -135
  89. data/docs/resources/aws_vpcs.md.erb +0 -135
  90. data/docs/resources/azure_generic_resource.md.erb +0 -183
  91. data/docs/resources/azure_resource_group.md.erb +0 -294
  92. data/docs/resources/azure_virtual_machine.md.erb +0 -357
  93. data/docs/resources/azure_virtual_machine_data_disk.md.erb +0 -234
  94. data/docs/resources/bash.md.erb +0 -85
  95. data/docs/resources/bond.md.erb +0 -100
  96. data/docs/resources/bridge.md.erb +0 -67
  97. data/docs/resources/bsd_service.md.erb +0 -77
  98. data/docs/resources/chocolatey_package.md.erb +0 -68
  99. data/docs/resources/command.md.erb +0 -176
  100. data/docs/resources/cpan.md.erb +0 -89
  101. data/docs/resources/cran.md.erb +0 -74
  102. data/docs/resources/crontab.md.erb +0 -103
  103. data/docs/resources/csv.md.erb +0 -64
  104. data/docs/resources/dh_params.md.erb +0 -221
  105. data/docs/resources/directory.md.erb +0 -40
  106. data/docs/resources/docker.md.erb +0 -240
  107. data/docs/resources/docker_container.md.erb +0 -113
  108. data/docs/resources/docker_image.md.erb +0 -104
  109. data/docs/resources/docker_plugin.md.erb +0 -80
  110. data/docs/resources/docker_service.md.erb +0 -124
  111. data/docs/resources/elasticsearch.md.erb +0 -252
  112. data/docs/resources/etc_fstab.md.erb +0 -135
  113. data/docs/resources/etc_group.md.erb +0 -85
  114. data/docs/resources/etc_hosts.md.erb +0 -88
  115. data/docs/resources/etc_hosts_allow.md.erb +0 -84
  116. data/docs/resources/etc_hosts_deny.md.erb +0 -84
  117. data/docs/resources/file.md.erb +0 -543
  118. data/docs/resources/filesystem.md.erb +0 -51
  119. data/docs/resources/firewalld.md.erb +0 -117
  120. data/docs/resources/gem.md.erb +0 -108
  121. data/docs/resources/group.md.erb +0 -71
  122. data/docs/resources/grub_conf.md.erb +0 -111
  123. data/docs/resources/host.md.erb +0 -96
  124. data/docs/resources/http.md.erb +0 -207
  125. data/docs/resources/iis_app.md.erb +0 -132
  126. data/docs/resources/iis_site.md.erb +0 -145
  127. data/docs/resources/inetd_conf.md.erb +0 -104
  128. data/docs/resources/ini.md.erb +0 -86
  129. data/docs/resources/interface.md.erb +0 -68
  130. data/docs/resources/iptables.md.erb +0 -74
  131. data/docs/resources/json.md.erb +0 -73
  132. data/docs/resources/kernel_module.md.erb +0 -130
  133. data/docs/resources/kernel_parameter.md.erb +0 -63
  134. data/docs/resources/key_rsa.md.erb +0 -95
  135. data/docs/resources/launchd_service.md.erb +0 -67
  136. data/docs/resources/limits_conf.md.erb +0 -85
  137. data/docs/resources/login_defs.md.erb +0 -81
  138. data/docs/resources/mount.md.erb +0 -79
  139. data/docs/resources/mssql_session.md.erb +0 -78
  140. data/docs/resources/mysql_conf.md.erb +0 -109
  141. data/docs/resources/mysql_session.md.erb +0 -84
  142. data/docs/resources/nginx.md.erb +0 -89
  143. data/docs/resources/nginx_conf.md.erb +0 -148
  144. data/docs/resources/npm.md.erb +0 -78
  145. data/docs/resources/ntp_conf.md.erb +0 -70
  146. data/docs/resources/oneget.md.erb +0 -63
  147. data/docs/resources/oracledb_session.md.erb +0 -103
  148. data/docs/resources/os.md.erb +0 -153
  149. data/docs/resources/os_env.md.erb +0 -101
  150. data/docs/resources/package.md.erb +0 -130
  151. data/docs/resources/packages.md.erb +0 -77
  152. data/docs/resources/parse_config.md.erb +0 -113
  153. data/docs/resources/parse_config_file.md.erb +0 -148
  154. data/docs/resources/passwd.md.erb +0 -151
  155. data/docs/resources/pip.md.erb +0 -77
  156. data/docs/resources/port.md.erb +0 -147
  157. data/docs/resources/postgres_conf.md.erb +0 -89
  158. data/docs/resources/postgres_hba_conf.md.erb +0 -103
  159. data/docs/resources/postgres_ident_conf.md.erb +0 -86
  160. data/docs/resources/postgres_session.md.erb +0 -79
  161. data/docs/resources/powershell.md.erb +0 -112
  162. data/docs/resources/processes.md.erb +0 -119
  163. data/docs/resources/rabbitmq_config.md.erb +0 -51
  164. data/docs/resources/registry_key.md.erb +0 -197
  165. data/docs/resources/runit_service.md.erb +0 -67
  166. data/docs/resources/security_policy.md.erb +0 -57
  167. data/docs/resources/service.md.erb +0 -131
  168. data/docs/resources/shadow.md.erb +0 -267
  169. data/docs/resources/ssh_config.md.erb +0 -83
  170. data/docs/resources/sshd_config.md.erb +0 -93
  171. data/docs/resources/ssl.md.erb +0 -129
  172. data/docs/resources/sys_info.md.erb +0 -52
  173. data/docs/resources/systemd_service.md.erb +0 -67
  174. data/docs/resources/sysv_service.md.erb +0 -67
  175. data/docs/resources/upstart_service.md.erb +0 -67
  176. data/docs/resources/user.md.erb +0 -150
  177. data/docs/resources/users.md.erb +0 -137
  178. data/docs/resources/vbscript.md.erb +0 -65
  179. data/docs/resources/virtualization.md.erb +0 -67
  180. data/docs/resources/windows_feature.md.erb +0 -69
  181. data/docs/resources/windows_hotfix.md.erb +0 -63
  182. data/docs/resources/windows_task.md.erb +0 -95
  183. data/docs/resources/wmi.md.erb +0 -91
  184. data/docs/resources/x509_certificate.md.erb +0 -161
  185. data/docs/resources/xinetd_conf.md.erb +0 -166
  186. data/docs/resources/xml.md.erb +0 -95
  187. data/docs/resources/yaml.md.erb +0 -79
  188. data/docs/resources/yum.md.erb +0 -108
  189. data/docs/resources/zfs_dataset.md.erb +0 -63
  190. data/docs/resources/zfs_pool.md.erb +0 -57
  191. data/docs/shared/matcher_be.md.erb +0 -1
  192. data/docs/shared/matcher_cmp.md.erb +0 -43
  193. data/docs/shared/matcher_eq.md.erb +0 -3
  194. data/docs/shared/matcher_include.md.erb +0 -1
  195. data/docs/shared/matcher_match.md.erb +0 -1
  196. data/docs/shell.md +0 -217
  197. data/docs/style.md +0 -178
  198. data/examples/README.md +0 -8
  199. data/examples/custom-resource/README.md +0 -3
  200. data/examples/custom-resource/controls/example.rb +0 -7
  201. data/examples/custom-resource/inspec.yml +0 -8
  202. data/examples/custom-resource/libraries/batsignal.rb +0 -20
  203. data/examples/custom-resource/libraries/gordon.rb +0 -21
  204. data/examples/inheritance/README.md +0 -65
  205. data/examples/inheritance/controls/example.rb +0 -14
  206. data/examples/inheritance/inspec.yml +0 -16
  207. data/examples/kitchen-ansible/.kitchen.yml +0 -25
  208. data/examples/kitchen-ansible/Gemfile +0 -19
  209. data/examples/kitchen-ansible/README.md +0 -53
  210. data/examples/kitchen-ansible/files/nginx.repo +0 -6
  211. data/examples/kitchen-ansible/tasks/main.yml +0 -16
  212. data/examples/kitchen-ansible/test/integration/default/default.yml +0 -5
  213. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -28
  214. data/examples/kitchen-chef/.kitchen.yml +0 -20
  215. data/examples/kitchen-chef/Berksfile +0 -3
  216. data/examples/kitchen-chef/Gemfile +0 -19
  217. data/examples/kitchen-chef/README.md +0 -27
  218. data/examples/kitchen-chef/metadata.rb +0 -7
  219. data/examples/kitchen-chef/recipes/default.rb +0 -6
  220. data/examples/kitchen-chef/recipes/nginx.rb +0 -30
  221. data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -28
  222. data/examples/kitchen-puppet/.kitchen.yml +0 -23
  223. data/examples/kitchen-puppet/Gemfile +0 -20
  224. data/examples/kitchen-puppet/Puppetfile +0 -25
  225. data/examples/kitchen-puppet/README.md +0 -53
  226. data/examples/kitchen-puppet/manifests/site.pp +0 -33
  227. data/examples/kitchen-puppet/metadata.json +0 -11
  228. data/examples/kitchen-puppet/modules/.gitkeep +0 -0
  229. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -28
  230. data/examples/meta-profile/README.md +0 -37
  231. data/examples/meta-profile/controls/example.rb +0 -13
  232. data/examples/meta-profile/inspec.yml +0 -13
  233. data/examples/plugins/inspec-resource-lister/Gemfile +0 -12
  234. data/examples/plugins/inspec-resource-lister/LICENSE +0 -13
  235. data/examples/plugins/inspec-resource-lister/README.md +0 -62
  236. data/examples/plugins/inspec-resource-lister/Rakefile +0 -40
  237. data/examples/plugins/inspec-resource-lister/inspec-resource-lister.gemspec +0 -45
  238. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister.rb +0 -16
  239. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/cli_command.rb +0 -70
  240. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/plugin.rb +0 -55
  241. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/version.rb +0 -10
  242. data/examples/plugins/inspec-resource-lister/test/fixtures/README.md +0 -24
  243. data/examples/plugins/inspec-resource-lister/test/functional/README.md +0 -18
  244. data/examples/plugins/inspec-resource-lister/test/functional/inspec_resource_lister_test.rb +0 -110
  245. data/examples/plugins/inspec-resource-lister/test/helper.rb +0 -26
  246. data/examples/plugins/inspec-resource-lister/test/unit/README.md +0 -17
  247. data/examples/plugins/inspec-resource-lister/test/unit/cli_args_test.rb +0 -64
  248. data/examples/plugins/inspec-resource-lister/test/unit/plugin_def_test.rb +0 -51
  249. data/examples/profile-attribute.yml +0 -2
  250. data/examples/profile-attribute/README.md +0 -14
  251. data/examples/profile-attribute/controls/example.rb +0 -11
  252. data/examples/profile-attribute/inspec.yml +0 -8
  253. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +0 -8
  254. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +0 -8
  255. data/examples/profile-aws/controls/iam_root_user_mfa.rb +0 -8
  256. data/examples/profile-aws/controls/iam_users_access_key_age.rb +0 -8
  257. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +0 -8
  258. data/examples/profile-aws/inspec.yml +0 -11
  259. data/examples/profile-azure/controls/azure_resource_group_example.rb +0 -24
  260. data/examples/profile-azure/controls/azure_vm_example.rb +0 -29
  261. data/examples/profile-azure/inspec.yml +0 -11
  262. data/examples/profile-sensitive/README.md +0 -29
  263. data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -9
  264. data/examples/profile-sensitive/controls/sensitive.rb +0 -9
  265. data/examples/profile-sensitive/inspec.yml +0 -8
  266. data/examples/profile/README.md +0 -48
  267. data/examples/profile/controls/example.rb +0 -24
  268. data/examples/profile/controls/gordon.rb +0 -36
  269. data/examples/profile/controls/meta.rb +0 -36
  270. data/examples/profile/inspec.yml +0 -11
  271. data/examples/profile/libraries/gordon_config.rb +0 -59
@@ -1,130 +0,0 @@
1
- ---
2
- title: About the aws_iam_user Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_iam\_user
7
-
8
- Use the `aws_iam_user` InSpec audit resource to test properties of a single AWS IAM user.
9
-
10
- To test properties of more than one user, use the `aws_iam_users` resource.
11
-
12
- To test properties of the special AWS root user (which owns the account), use the `aws_iam_root_user` resource.
13
-
14
- <br>
15
-
16
- ## Availability
17
-
18
- ### Installation
19
-
20
- This resource is distributed along with InSpec itself. You can use it automatically.
21
-
22
- ### Version
23
-
24
- This resource first became available in v2.0.16 of InSpec.
25
-
26
- ## Resource Parameters
27
-
28
- An `aws_iam_user` resource block declares a user by name, and then lists tests to be performed.
29
-
30
- describe aws_iam_user(username: 'test_user') do
31
- it { should exist }
32
- end
33
-
34
- <br>
35
-
36
- ## Examples
37
-
38
- The following examples show how to use this InSpec audit resource.
39
-
40
- ### Test that a user does not exist
41
-
42
- describe aws_iam_user(username: 'gone') do
43
- it { should_not exist }
44
- end
45
-
46
- ### Test that a user has multi-factor authentication enabled
47
-
48
- describe aws_iam_user(username: 'test_user') do
49
- it { should have_mfa_enabled }
50
- end
51
-
52
- ### Test that a service user does not have a password
53
-
54
- describe aws_iam_user(username: 'test_user') do
55
- it { should have_console_password }
56
- end
57
-
58
- <br>
59
-
60
- ## Properties
61
-
62
- ### attached\_policy\_arns
63
-
64
- Returns a list of IAM Managed Policy ARNs as strings that identify the policies that are attached to the user. If there are no attached policies, returns an empty list.
65
-
66
- describe aws_iam_user('bob') do
67
- # This is a customer-managed policy
68
- its('attached_policy_arns') { should include 'arn:aws:iam::123456789012:policy/test-inline-policy-01' }
69
- # This is an AWS-managed policy
70
- its('attached_policy_arns') { should include 'arn:aws:iam::aws:policy/AlexaForBusinessGatewayExecution' }
71
- end
72
-
73
- ### attached\_policy\_names
74
-
75
- Returns a list of IAM Managed Policy Names as strings that identify the policies that are attached to the user. If there are no attached policies, returns an empty list.
76
-
77
- describe aws_iam_user('bob') do
78
- # This is a customer-managed policy
79
- its('attached_policy_names') { should include 'test-inline-policy-01' }
80
- # This is an AWS-managed policy
81
- its('attached_policy_names') { should include 'AlexaForBusinessGatewayExecution' }
82
- end
83
-
84
- ### inline\_policy\_names
85
-
86
- Returns a list of IAM Inline Policy Names as strings that identify the inline policies that are directly embedded in the user. If there are no embedded policies, returns an empty list.
87
-
88
- describe aws_iam_user('bob') do
89
- its('inline_policy_names') { should include 'test-inline-policy-01' }
90
- its('inline_policy_names.count') { should eq 1 }
91
- end
92
-
93
-
94
- ## Matchers
95
-
96
- This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [universal matchers page](https://www.inspec.io/docs/reference/matchers/).
97
-
98
- ### have\_attached\_policies
99
-
100
- The `have\_attached\_policies` matcher tests if the user has at least one IAM managed policy attached to the user.
101
-
102
- describe aws_iam_user('bob') do
103
- it { should_not have_attached_policies }
104
- end
105
-
106
- ### have\_console\_password
107
-
108
- The `have_console_password` matcher tests if the user has a password that could be used to log into the AWS web console.
109
-
110
- it { should have_console_password }
111
-
112
- ### have\_inline\_policies
113
-
114
- The `have\_inline\_policies` matcher tests if the user has at least one IAM policy embedded directly in the user record.
115
-
116
- describe aws_iam_user('bob') do
117
- it { should_not have_inline_policies }
118
- end
119
-
120
- ### have\_mfa\_enabled
121
-
122
- The `have_mfa_enabled` matcher tests if the user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.
123
-
124
- it { should have_mfa_enabled }
125
-
126
- ## AWS Permissions
127
-
128
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetUser`, `iam:GetLoginProfile`, `iam:ListMFADevices`, `iam:ListAccessKeys`, `iam:ListUserPolicies`, and `iam:ListAttachedUserPolicies` actions set to allow.
129
-
130
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).
@@ -1,289 +0,0 @@
1
- ---
2
- title: About the aws_iam_users Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_iam\_users
7
-
8
- Use the `aws_iam_users` InSpec audit resource to test properties of a all or multiple users.
9
-
10
- To test properties of a single user, use the `aws_iam_user` resource.
11
-
12
- To test properties of the special AWS root user (which owns the account), use the `aws_iam_root_user` resource.
13
-
14
- <br>
15
-
16
- ## Availability
17
-
18
- ### Installation
19
-
20
- This resource is distributed along with InSpec itself. You can use it automatically.
21
-
22
- ### Version
23
-
24
- This resource first became available in v2.0.16 of InSpec.
25
-
26
- ## Syntax
27
-
28
- An `aws_iam_users` resource block uses a filter to select a group of users and then tests that group. With no filter, it returns all AWS IAM users.
29
-
30
- # No filter
31
- # We expect 42 users
32
- describe aws_iam_users do
33
- its('usernames.count') { should eq 42 }
34
- end
35
-
36
- # Using a filter
37
- # All users should have MFA (no user without MFA should exist)
38
- describe aws_iam_users.where(has_mfa_enabled?: false) do
39
- it { should_not exist }
40
- end
41
-
42
- ## Examples
43
-
44
- The following examples show how to use this InSpec audit resource.
45
-
46
- ### Test that all users have Multi-Factor Authentication enabled
47
-
48
- describe aws_iam_users.where(has_mfa_enabled?: false) do
49
- it { should_not exist }
50
- end
51
-
52
- ### Test that at least one user has a console password to log into the AWS web console
53
-
54
- describe aws_iam_users.where(has_console_password?: true) do
55
- it { should exist }
56
- end
57
-
58
- ### Test that all users who have a console password have Multi-Factor Authentication enabled
59
-
60
- console_users_without_mfa = aws_iam_users
61
- .where(has_console_password?: true)
62
- .where(has_mfa_enabled?: false)
63
-
64
- describe console_users_without_mfa do
65
- it { should_not exist }
66
- end
67
-
68
- ### Test that all users who have a console password have used it at least once
69
-
70
- console_users_with_unused_password = aws_iam_users
71
- .where(has_console_password?: true)
72
- .where(password_never_used?: true)
73
-
74
- describe console_users_with_unused_password do
75
- it { should_not exist }
76
- end
77
-
78
- ### Test that at least one user exists who has a console password and has used it at least once
79
-
80
- console_users_with_used_password = aws_iam_users
81
- .where(has_console_password?: true)
82
- .where(password_ever_used?: true)
83
-
84
- describe console_users_with_used_password do
85
- it { should exist }
86
- end
87
-
88
-
89
- ### Test that users with passwords that have not been used for 90 days do not
90
-
91
- describe aws_iam_users.where { password_last_used_days_ago > 90 } do
92
- it { should_not exist }
93
- end
94
-
95
- <br>
96
-
97
- ## Filter Criteria
98
-
99
- You may pass filter criteria to `where` to narrow down the result set.
100
-
101
- ### has\_attached\_policies
102
-
103
- True or false. Filters the users to include only those that have at least one IAM managed policy attached to the user.
104
-
105
- # Don't attach policies to users
106
- describe aws_iam_users.where(has_attached_policies: true) do
107
- it { should_not exist }
108
- end
109
-
110
- ### has\_console\_password
111
-
112
- True or false. Filters the users to include only those that have a console password (that is, they are able to login to the AWS web UI using a password).
113
-
114
- # No console passwords for anyone
115
- describe aws_iam_users.where(has_console_password: true) do
116
- it { should_not exist }
117
- end
118
-
119
- ### has\_inline\_policies
120
-
121
- True or false. Filters the users to include only those that have at least one IAM policy directly embedded in the user record.
122
-
123
- # Embedding policies is usually hard to manage
124
- describe aws_iam_users.where(has_inline_policies: true) do
125
- it { should_not exist }
126
- end
127
-
128
- ### has\_mfa\_enabled
129
-
130
- True or false. Filters the users to include only those that have some kind of Mult-Factor Authentication enabled (virtual or hardware).
131
-
132
- # Require MFA for everyone
133
- describe aws_iam_users.where(has_mfa_enabled: false) do
134
- it { should_not exist }
135
- end
136
-
137
- ### password\_ever\_used
138
-
139
- True or false. Filters the users to include only those that have used their password at least once.
140
-
141
- # Someone should have used their password
142
- describe aws_iam_users.where(password_ever_used: true) do
143
- it { should exist }
144
- end
145
-
146
- ### password\_last\_used_days\_ago
147
-
148
- Integer. Filters the users to include only those who used their password a certain number of days ago. '0' means today.
149
-
150
- # Bob should login every day
151
- describe aws_iam_users.where(password_ever_used: true, password_last_used_days_ago:0) do
152
- its('usernames') { should include 'bob' }
153
- end
154
-
155
- # This filter is often more useful in block mode, using a greater-than
156
- # Here, audit users who have not logged in in the last 30 days
157
- describe aws_iam_users.where do
158
- password_ever_used && password_last_used_days_ago > 30
159
- end do
160
- it { should_not exist' }
161
- end
162
-
163
- ### password\_never\_used
164
-
165
- True or false. Filters the users to include only those that have used _never_ their password.
166
-
167
- # No zombie accounts!
168
- describe aws_iam_users.where(password_never_used: true) do
169
- it { should_not exist }
170
- end
171
-
172
- ### username
173
-
174
- String. Filters the users to include only those whose username matches the value you provide.
175
-
176
- # Block mode example (recommended)
177
- # Service users should not have a password
178
- describe aws_iam_users.where { username.start_with?('service') } do
179
- it { should_not have_console_password }
180
- end
181
-
182
- # Method call example. This is a poor use of aws_iam_users (plural);
183
- # if you want to audit an individual user whose username you know, use
184
- # aws_iam_user (singular)
185
- # Verify Bob exists
186
- describe aws_iam_users.where(username: 'bob') do
187
- it { should exist }
188
- end
189
-
190
- ## Properties
191
-
192
- Properties are used with the `its` test to obtain information about the matched users. Properties always return arrays, though they may be empty.
193
-
194
- ### attached\_policy\_arns
195
-
196
- Array of strings. Each entry is the ARN of an IAM managed policy that is attached to at least one matched user. The list is de-duplicated, so if you have five users that are all attached to the same policy, `attached_policy_arns` will return only one ARN, not five.
197
-
198
- # Service users should be attached to a custom service policy
199
- describe aws_iam_users.where { username.start_with?('service') } do
200
- its('attached_policy_arns') { should include 'arn:aws:iam::123456789012:policy/MyServicePolicy' }
201
- end
202
-
203
- ### attached\_policy\_names
204
-
205
- Array of strings. Each entry is the friendly name of an IAM managed policy that is attached to at least one matched user. The list is de-duplicated, so if you have five users that are all attached to the same policy, `attached_policy_names` will return only one name, not five.
206
-
207
- # Service users should be attached to a custom service policy
208
- # and not include Admin policy!
209
- describe aws_iam_users.where { username.start_with?('service') } do
210
- its('attached_policy_names') { should include 'MyServicePolicy' }
211
- its('attached_policy_names') { should_not include 'AdministratorAccess' }
212
- end
213
-
214
- ### inline\_policy\_names
215
-
216
- Array of strings. Each entry is the name of an embedded policy that is embedded in at least one matched user. Keep in mind that each user has a copy of a policy (which can then be modified). This means that two users can have an embedded policy with the same name, but very different contents. The list is de-duplicated, so if you have five users that have an inline policy with the same name, `inline_policy_names` will return only one name, not five.
217
-
218
- # Service users should have a bespoke policy
219
- describe aws_iam_users.where { username.start_with?('service') } do
220
- its('inline_policy_names') { should include 'some-bespoke-policy' }
221
- end
222
-
223
- ### usernames
224
-
225
- Array of strings. Each entry is the name of a user that matched. There will be exactly as many usernames here as there were users that matched, though it is possible to have non-unique usernames.
226
-
227
- # 42 Users, including Bob, should have a password.
228
- describe aws_iam_users.where(has_console_password: true) do
229
- its('usernames') { should include 'bob' }
230
- its('usernames.count') { should eq 42 }
231
- end
232
-
233
- ## Matchers
234
-
235
- This InSpec audit resource has the following resource-specific matchers.
236
- For a full list of available matchers, please visit our [universal matchers page](https://www.inspec.io/docs/reference/matchers/).
237
-
238
- As a plural resource, all matchers beginning with `have_` will return true if _any_ of the selected users match.
239
-
240
- ### exist
241
-
242
- The test passes if the filtered user set is not empty. This basic matcher is frequently used with `should_not` to detect undesired conditions.
243
-
244
- # Require MFA for everyone
245
- describe aws_iam_users.where(has_mfa_enabled: false) do
246
- it { should_not exist }
247
- end
248
-
249
- ### have\_attached\_policies
250
-
251
- The test passes if at least one user in the filtered set has at least one attached IAM managed policy.
252
-
253
- # Bachelors don't have attachments
254
- describe aws_iam_users.where { username =~ /bachelor/ } do
255
- it { should_not have_attached_policies }
256
- end
257
-
258
- ### have\_console\_password
259
-
260
- The test passes if at least one user in the filtered set has a console password.
261
-
262
- describe aws_iam_users do
263
- it { should_not have_console_password }
264
- end
265
-
266
- ### have\_inline\_policies
267
-
268
- The test passes if at least one user in the filtered set has at least one embedded policy.
269
-
270
- # No one should have an inline policy
271
- describe aws_iam_users do
272
- it { should_not have_inline_policies }
273
- end
274
-
275
- ### have\_mfa\_enabled
276
-
277
- The test passes if at least one user in the filtered set has MFA enabled (virtual or hardware).
278
-
279
- # At least one person should use MFA.
280
- # This does not mean ALL users have MFA.
281
- describe aws_iam_users do
282
- it { should have_mfa_enabled }
283
- end
284
-
285
- ## AWS Permissions
286
-
287
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:ListUsers`, `iam:GetLoginProfile`, `iam:ListMFADevices`, `iam:ListAccessKeys`, `iam:ListUserPolicies`, and `iam:ListAttachedUserPolicies` action with Effect set to Allow.
288
-
289
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).
@@ -1,187 +0,0 @@
1
- ---
2
- title: About the aws_kms_key Resource
3
- ---
4
-
5
- # aws\_kms\_key
6
-
7
- Use the `aws_kms_key` InSpec audit resource to test properties of a single AWS KMS Key.
8
-
9
- Use aws_kms_key to verify the properties of a single key. Use aws_kms_keys to verify the properties of all or a group of keys.
10
-
11
- AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS lets you create master keys that can never be exported from the service and which can be used to encrypt and decrypt data based on policies you define.
12
-
13
- Each AWS KMS Key is uniquely identified by its key_id or arn.
14
-
15
- <br>
16
-
17
- ## Availability
18
-
19
- ### Installation
20
-
21
- This resource is distributed along with InSpec itself. You can use it automatically.
22
-
23
- ### Version
24
-
25
- This resource first became available in v2.1.21 of InSpec.
26
-
27
- ## Syntax
28
-
29
- An aws_kms_key resource block identifies a key by key_arn or the key id.
30
-
31
- # Find a kms key by arn
32
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
33
- it { should exist }
34
- end
35
-
36
- # Find a kms key by just the id
37
- describe aws_kms_key('4321dcba-21io-23de-85he-ab0987654321') do
38
- it { should exist }
39
- end
40
-
41
- # Hash syntax for key arn
42
- describe aws_kms_key(key_arn: 'arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
43
- it { should exist }
44
- end
45
-
46
- <br>
47
-
48
- ## Examples
49
-
50
- The following examples show how to use this InSpec audit resource.
51
-
52
- ### Test that the specified key does exist
53
-
54
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
55
- it { should exist }
56
- end
57
-
58
- ### Test that the specified key is enabled
59
-
60
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
61
- it { should be_enabled }
62
- end
63
-
64
- ### Test that the specified key is rotation enabled
65
-
66
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
67
- it { should have_rotation_enabled }
68
- end
69
-
70
- <br>
71
-
72
- ## Properties
73
-
74
- ### key\_id
75
-
76
- The globally unique identifier for the key.
77
-
78
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
79
- its('key_id') { should cmp '4321dcba-21io-23de-85he-ab0987654321' }
80
- end
81
-
82
- ### arn
83
-
84
- The ARN identifier of the specified key. An ARN uniquely identifies the key within AWS.
85
-
86
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
87
- its('arn') { should cmp "arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321" }
88
- end
89
-
90
- ### creation_date
91
-
92
- Specifies the date and time when the key was created.
93
-
94
- # Makes sure that the key was created at least 10 days ago
95
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
96
- its('creation_date') { should be < Time.now - 10 * 86400 }
97
- end
98
-
99
- ### created\_days\_ago
100
-
101
- Specifies the number of days since the key was created.
102
-
103
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
104
- its('created_days_ago') { should be > 10 }
105
- end
106
-
107
-
108
- ### key\_state
109
-
110
- Specifies the state of the key one of "Enabled", "Disabled", "PendingDeletion", "PendingImport". To just check if the key is enabled or not, use the `be_enabled` matcher.
111
-
112
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
113
- its('key_state') { should cmp "Enabled" }
114
- end
115
-
116
- ### description
117
-
118
- Specifies the description of the key.
119
-
120
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
121
- its('description') { should cmp "key-description" }
122
- end
123
-
124
- ### deletion\_time
125
-
126
- Specifies the date and time after which AWS KMS deletes the key. This value is present only when KeyState is PendingDeletion , otherwise this value is nil.
127
-
128
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
129
- its('deletion_time') { should cmp > Time.now + 7 * 86400 }
130
- end
131
-
132
- ### invalidation\_time
133
-
134
- Provides the date and time until the key is not valid. Once the key is not valid, AWS KMS deletes the key and it becomes unusable. This value will be null unless the keys Origin is EXTERNAL and its matcher have_key_expiration is set to true.
135
-
136
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
137
- its('invalidation_time') { should cmp > Time.now + 7 * 86400 }
138
- end
139
-
140
- ## Matchers
141
-
142
- This InSpec audit resource has the following special matchers. For a full list of available matchers (such as `exist`) please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
143
-
144
- ### be\_enabled
145
-
146
- The test will pass if the specified key's key_state is set to enabled.
147
-
148
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
149
- it { should be_enabled }
150
- end
151
-
152
- ### be\_external
153
- Provides whether the source of the key's key material is external or not. If it is not external than it was created by AWS KMS. When it is external, the key material was imported from an existing key management infrastructure or the key lacks key material.
154
-
155
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
156
- its { should be_external }
157
- end
158
-
159
- ### be\_managed\_by\_aws
160
-
161
- Provides whether or not the key manager is from AWS. If it is not managed by AWS, it is managed by the customer.
162
-
163
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
164
- its { should be_managed_by_aws }
165
- end
166
-
167
- ### have\_key\_expiration
168
-
169
- Specifies whether the key's key material expires. This value is null unless the keys Origin is External.
170
-
171
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
172
- its { should have_key_expiration }
173
- end
174
-
175
- ### have\_rotation\_enabled
176
-
177
- The test will pass if automatic rotation of the key material is enabled for the specified key.
178
-
179
- describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
180
- it { should have_rotation_enabled }
181
- end
182
-
183
- ## AWS Permissions
184
-
185
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `kms:DescribeKey`, and `kms:GetKeyRotationStatus` actions set to allow.
186
-
187
- You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html).