Skip to main content

Chef InSpec and AWS

Chef InSpec has resources for auditing AWS.

Initialize an InSpec profile for auditing AWS

With Chef InSpec 4 or greater, you can create a profile for testing AWS resources with inspec init profile:

$ inspec init profile --platform aws <PROFILE_NAME>
Create new profile at /Users/me/<PROFILE_NAME>
 * Creating directory libraries
 * Creating file README.md
 * Creating directory controls
 * Creating file controls/example.rb
 * Creating file inspec.yml
 * Creating file inputs.yml
 * Creating file libraries/.gitkeep

Assuming the inputs.yml file contains your AWS project ID, you can execute this sample profile using the following command:

inspec exec <PROFILE_NAME> --input-file=<PROFILE_NAME>/inputs.yml -t gcp://

Set AWS credentials

Chef InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities.

  1. Create an IAM user in the AWS console, with your choice of username. Check the box marked “Programmatic Access.”

  2. On the Permissions screen, choose Direct Attach. Select the AWS-managed IAM profile named “ReadOnlyAccess.” If you wish to restrict the user further, you may do so; see individual Chef InSpec resources to identify which permissions are required.

  3. After generating the key, record the access key ID and secret key.

Provide credentials with environment variables

You may provide the credentials to Chef InSpec by setting the following environment variables: AWS_REGION, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. You may also use AWS_PROFILE, or if you are using MFA, AWS_SESSION_TOKEN. See the AWS Command Line Interface Docs for details.

Once you have your environment variables set, you can verify your credentials by running:

$ inspec detect -t aws://

== Platform Details
Name:      aws
Families:  cloud, api
Release:   aws-sdk-v2.10.125

Provide credentials using Chef InSpec target option

Look for a file in your home directory named ~/.aws/credentials. If it does not exist, create it. Choose a name for your profile; here, we’re using the name ‘auditing’. Add your credentials as a new profile, in INI format:

[auditing]
aws_access_key_id = AKIA....
aws_secret_access_key = 1234....abcd

You may now run Chef InSpec using the --target / -t option, using the format -t aws://region/profile. For example, to connect to the Ohio region using a profile named ‘auditing’, use -t aws://us-east-2/auditing.

To verify your credentials, run:

$ inspec detect -t aws://

== Platform Details
Name:      aws
Families:  cloud, api
Release:   aws-sdk-v2.10.125

AWS resources

Edit this page on GitHub

Thank you for your feedback!

×