Skip to main content

aws_kms_keys Resource

Use the aws_kms_keys InSpec audit resource to test properties of some or all AWS KMS Keys.

AWS Key Management Service (KMS) is a managed service that makes creating and controlling your encryption keys for your data easier. KMS uses Hardware Security Modules (HSMs) to protect the security of your keys.

AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services.

For additional information, including details on parameters and properties, see the AWS documentation on KS Keys.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_kms_keys resource block uses an optional filter to select a group of KMS Keys and then tests that group.

# Verify the number of KMS keys in the AWS account
describe aws_kms_keys do
  its('entries.count') { should cmp 10 }
end

Parameters

This resource does not require any parameters.

Properties

key_ids
The IDs of the returned keys.
key_arns
The Amazon Resource Names of the returned keys.
entries
Provides access to the raw results of the query, which can be treated as an array of hashes.

Examples

The following examples show how to use this InSpec audit resource.

Ensure a Key exists.

describe aws_kms_keys do
  its('key_ids') { should include 'fd7e608b-f435-4186-b8b5-111111111111'}
end

Allow at most 100 KMS Keys on the account.

describe aws_kms_keys do
  its('entries.count') { should be <= 100}
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_kms_keys do
  it { should exist }
end
describe aws_kms_keys.where( <property>: <value>) do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the KMS:Client:ListKeysResponse action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for AWS Key Management Service.

Edit this page on GitHub

Thank you for your feedback!

×