inspec 2.3.10 → 2.3.23

data/docs/resources/aws_kms_keys.md.erb

@@ -1,99 +0,0 @@
----
-title: About the aws_kms_keys Resource
-platform: aws
----
-
-# aws\_kms\_keys
-
-Use the `aws_kms_keys` InSpec audit resource to test properties of some or all AWS KMS Keys.
-
-AWS Key Management Service (KMS) is a managed service that makes creating and controlling your encryption keys for your data easier. KMS uses Hardware Security Modules (HSMs) to protect the security of your keys.
-
-AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services.
-
-Each AWS KMS Key is uniquely identified by its key-id or key-arn.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v2.0.16 of InSpec.
-
-## Syntax
-
-An `aws_kms_keys` resource block uses an optional filter to select a group of KMS Keys and then tests that group.
-
-    # Verify the number of KMS keys in the AWS account
-    describe aws_kms_keys do
-      its('entries.count') { should cmp 10 }
-    end
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-As this is the initial release of `aws_kms_keys`, its limited functionality precludes examples.
-
-<br>
-
-## Properties
-
-* `entries`, `key_arns`, `key_ids`
-
-<br>
-
-## Property Examples
-
-### entries
-
-Provides access to the raw results of a query. This can be useful for checking counts and other advanced operations.
-
-    # Allow at most 100 KMS Keys on the account
-    describe aws_kms_keys do
-      its('entries.count') { should be <= 100}
-    end
-
-### key\_arns
-
-Provides a list of key arns for all KMS Keys in the AWS account.
-
-    describe aws_kms_keys do
-      its('key_arns') { should include('arn:aws:kms:us-east-1::key/key-id') }
-    end
-
-### key\_ids
-
-Provides a list of key ids for all KMS Keys in the AWS account.
-
-    describe aws_kms_keys do
-      its('key_ids') { should include('fd7e608b-f435-4186-b8b5-111111111111') }
-    end
-
-<br>
-
-## Matchers
-
-This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### exists
-
-The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
-
-    # Verify that at least one KMS Key exists.
-    describe aws_kms_keys
-      it { should exist }
-    end
-
-## AWS Permissions
-
-Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `kms:ListKeys` action with Effect set to Allow.
-
-You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html).

data/docs/resources/aws_rds_instance.md.erb

@@ -1,76 +0,0 @@
----
-title: About the aws_rds_instance Resource
----
-
-# aws\_rds\_instance
-
-Use the `aws_rds_instance` InSpec audit resource to test detailed properties of an individual RDS instance.
-
-RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v2.1.21 of InSpec.
-
-## Syntax
-
-An `aws_rds_instance` resource block uses resource parameters to search for an RDS instance, and then tests that RDS instance.  If no RDS instances match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`.  If more than one RDS instance matches (due to vague search parameters), an error is raised.
-
-    # Ensure you have a RDS instance with a certain ID
-    # This is "safe" - RDS IDs are unique within an account
-    describe aws_rds_instance('test-instance-id') do
-      it { should exist }
-    end
-
-    # Ensure you have a RDS instance with a certain ID
-    # This uses hash syntax
-    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
-      it { should exist }
-    end
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-As this is the initial release of `aws_rds_instance`, its limited functionality precludes examples.
-
-<br>
-
-## Resource Parameters
-
-This InSpec resource accepts the following parameters, which are used to search for the RDS instance.
-
-### exists
-
-The control will pass if the specified RDS instance was found.  Use should_not if you want to verify that the specified RDS instance does not exist.
-
-    # Using Hash syntax
-    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
-      it { should exist }
-    end
-
-    # Using the instance id directly from the terraform file
-    describe aws_rds_instance(fixtures['rds_db_instance_id']) do
-      it { should exist }
-    end
-
-    # Make sure we don't have any RDS instances with the name 'nogood'
-    describe aws_rds_instance('nogood') do
-      it { should_not exist }
-    end
-
-## AWS Permissions
-
-Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `rds:DescribeDBInstances` action with Effect set to Allow.
-
-You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html).

data/docs/resources/aws_route_table.md.erb

@@ -1,63 +0,0 @@
----
-title: About the aws_route_table Resource
-platform: aws
----
-
-# aws\_route\_table
-
-Use the `aws_route_table` InSpec audit resource to test properties of a single Route Table. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v2.0.16 of InSpec.
-
-## Syntax
-
-    # Ensure that a certain route table exists by name
-    describe aws_route_table('rtb-123abcde') do
-      it { should exist }
-    end
-
-## Resource Parameters
-
-### route\_table\_id
-
-This resource expects a single parameter that uniquely identifies the Route Table. You may pass it as a string, or as the value in a hash:
-
-    describe aws_route_table('rtb-123abcde') do
-      it { should exist }
-    end
-    # Same
-    describe aws_route_table(route_table_id: 'rtb-123abcde') do
-      it { should exist }
-    end
-
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### exist
-
-Indicates that the Route Table provided was found.  Use `should_not` to test for Route Tables that should not exist.
-
-    describe aws_route_table('should-be-there') do
-      it { should exist }
-    end
-
-    describe aws_route_table('should-not-be-there') do
-      it { should_not exist }
-    end
-
-## AWS Permissions
-
-Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeRouteTables` action with Effect set to Allow.
-
-You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).

data/docs/resources/aws_route_tables.md.erb

@@ -1,65 +0,0 @@
----
-title: About the aws_route_tables Resource
----
-
-# aws\_route\_table
-
-Use the `aws_route_tables` InSpec audit resource to test properties of all or a group of Route Tables. A Route Table contains a set of rules, called routes, that are used to determine where network traffic is directed.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v2.1.30 of InSpec.
-
-## Syntax
-
-  # Ensure that there is at least one route table
-  describe aws_route_tables do
-    it { should exist }
-  end
-
-## Matchers
-
-### exist
-
-Indicates that at least one Route Table was found.  Use should_not to test that no Route Tables should exist.
-
-    describe aws_route_tables do
-      it { should exist }
-    end
-
-    describe aws_route_tables do
-      it { should_not exist }
-    end
-
-## Properties
-
-### vpc\_ids
-
-Lists all VPCs that are in the Route Tables.
-
-    describe aws_route_tables do
-      its('vpc_ids') { should include 'vpc_12345678' }
-    end
-
-
-### route\_table\_ids
-
-Lists all of the Route Table IDs.
-
-    describe aws_route_tables do
-      its('route_table_ids') { should include 'rtb-12345678' }
-    end
-
-## AWS Permissions
-
-Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeRouteTables` action with Effect set to Allow.
-
-You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).

data/docs/resources/aws_s3_bucket.md.erb

@@ -1,156 +0,0 @@
----
-title: About the aws_s3_bucket Resource
-platform: aws
----
-
-# aws\_s3\_bucket
-
-Use the `aws_s3_bucket` InSpec audit resource to test properties of a single AWS bucket.
-
-To test properties of a multiple S3 buckets, use the `aws_s3_buckets` resource.
-
-<br>
-
-## Limitations
-
-S3 bucket security is a complex matter. For details on how AWS evaluates requests for access, please see [the AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html). S3 buckets and the objects they contain support three different types of access control: bucket ACLs, bucket policies, and object ACLs.
-
-As of January 2018, this resource supports evaluating bucket ACLs and bucket policies. We do not support evaluating object ACLs because it introduces scalability concerns in the AWS API; we recommend using AWS mechanisms such as CloudTrail and Config to detect insecure object ACLs.
-
-In particular, users of the `be_public` matcher should carefully examine the conditions under which the matcher will detect an insecure bucket. See the `be_public` section under the Matchers section below.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v2.0.16 of InSpec.
-
-## Syntax
-
-An `aws_s3_bucket` resource block declares a bucket by name, and then lists tests to be performed.
-
-    describe aws_s3_bucket(bucket_name: 'test_bucket') do
-      it { should exist }
-      it { should_not be_public }
-    end
-
-    describe aws_s3_bucket('test_bucket') do
-      it { should exist }
-    end
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-### Test the bucket-level ACL
-
-    describe aws_s3_bucket('test_bucket') do
-      its('bucket_acl.count') { should eq 1 }
-    end
-
-### Check if a bucket has a bucket policy
-
-    describe aws_s3_bucket('test_bucket') do
-      its('bucket_policy') { should be_empty }
-    end
-
-### Check if a bucket appears to be exposed to the public
-
-    # See Limitations section above
-    describe aws_s3_bucket('test_bucket') do
-      it { should_not be_public }
-    end
-<br>
-
-## Properties
-
-### region
-
-The `region` property identifies the AWS Region in which the S3 bucket is located.
-
-    describe aws_s3_bucket('test_bucket') do
-      # Check if the correct region is set
-      its('region') { should eq 'us-east-1' }
-    end
-
-## Unsupported Properties
-
-### bucket\_acl
-
-The `bucket_acl` property is a low-level property that lists the individual Bucket ACL grants  in effect on the bucket.  Other higher-level properties, such as be\_public, are more concise and easier to use. You can use the `bucket_acl` property to investigate which grants are in effect, causing be\_public to fail.
-
-The value of bucket_acl is  an array of simple objects.  Each object has a `permission` property and a `grantee` property.  The `permission` property will be a string such as 'READ', 'WRITE' etc (See the [AWS documentation](https://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Client.html#get_bucket_acl-instance_method) for a full list).  The `grantee` property contains sub-properties, such as `type` and `uri`.
-
-
-    bucket_acl = aws_s3_bucket('my-bucket')
-
-    # Look for grants to "AllUsers" (that is, the public)
-    all_users_grants = bucket_acl.select do |g|
-      g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
-    end
-
-    # Look for grants to "AuthenticatedUsers" (that is, any authenticated AWS user - nearly public)
-    auth_grants = bucket_acl.select do |g|
-      g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
-    end
-
-### bucket\_policy
-
-The `bucket_policy` is a low-level property that describes the IAM policy document controlling access to the bucket. The `bucket_policy` property returns a Ruby structure that you can probe to check for particular statements.  We recommend using a higher-level property, such as `be_public`, which is concise and easier to implement in your policy files.
-
-The `bucket_policy` property returns an array of simple objects, each object being an IAM Policy Statement. See the [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-2) for details about the structure of this data.
-
-If there is no bucket policy, this property returns an empty array.
-
-    bucket_policy = aws_s3_bucket('my-bucket')
-
-    # Look for statements that allow the general public to do things
-    # This may be a false positive; it is possible these statements
-    # could be protected by conditions, such as IP restrictions.
-    public_statements = bucket_policy.select do |s|
-      s.effect == 'Allow' && s.principal == '*'
-    end
-
-<br>
-
-## Matchers
-
-This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### be\_public
-
-The `be_public` matcher tests if the bucket has potentially insecure access controls. This high-level matcher detects several insecure conditions, which may be enhanced in the future. Currently, the matcher reports an insecure bucket if any of the following conditions are met:
-
-  1. A bucket ACL grant exists for the 'AllUsers' group
-  2. A bucket ACL grant exists for the 'AuthenticatedUsers' group
-  3. A bucket policy has an effect 'Allow' and principal '*'
-
-Note: This resource does not detect insecure object ACLs.
-
-    it { should_not be_public }
-
-### have\_access\_logging\_enabled
-
-The `have_access_logging_enabled` matcher tests if access logging is enabled for the s3 bucket.
-
-    it { should have_access_logging_enabled }
-
-### have\_default\_encryption\_enabled
-
-The `have_default_encryption_enabled` matcher tests if default encryption is enabled for the s3 bucket.
-
-    it { should have_default_encryption_enabled }
-
-## AWS Permissions
-
-Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `s3:GetBucketAcl`, `s3:GetBucketLocation`, `s3:GetBucketLogging`, `s3:GetBucketPolicy`, and `s3:GetEncryptionConfiguration` actions set to allow.
-
-You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon S3](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html).