Skip to main content

aws_ebs_snapshots Resource

Use the aws_ebs_snapshots InSpec audit resource to test properties of a collection of AWS EBS Snapshots.

For additional information, including details on parameters and properties, see the AWS documentation on EBS Snapshots.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

Ensure you have exactly 3 EBS Snapshots:

describe aws_ebs_snapshots do
  its('snapshot_ids.count') { should cmp 3 }
end

Parameters

This resource does not require any parameters.

Properties

snapshot_ids
An array of the unique IDs of the EBS Snapshots that are returned.
owner_ids
An array of AWS Account IDs of the owners of the EBS Snapshots that are returned.
encrypted
An array of booleans indicating whether the EBS Snapshots returned are encrypted.
tags
An array of hashes; each hash is a set of keys and values for tags for one of the EBS Snapshots returned, and may be empty.
entries
Provides access to the raw results of the query, which can be treated as an array of hashes.

Examples

Ensure a specific EBS Snapshot exists.

describe aws_ebs_snapshots do
  its('snapshot_ids') { should include 'SNAPSHOT_ID' }
end

Use the InSpec resource to request the IDs of all EBS Snapshots, then test in-depth using aws_ebs_snapshot to ensure all EBS Snapshots are encrypted and not public.

aws_ebs_snapshots.snapshot_ids.each do |snapshot_id|
  describe aws_ebs_snapshot(snapshot_id: snapshot_id) do
    it { should be_encrypted }
    it { should_not be_public }
  end
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exist

The control will pass if the describe returns at least one result.

describe aws_ebs_snapshots do
  it { should exist }
end

Use should_not to test the entity should not exist.

describe aws_ebs_snapshots do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the EC2:Client::DescribeSnapshotsResult action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.

Edit this page on GitHub

Thank you for your feedback!

×