Skip to main content

aws_network_acl Resource

Use the aws_network_acl InSpec audit resource to test the properties of a single Amazon network ACL.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_network_acl resource block declares the tests for a single Amazon network ACL by network_acl_id.

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
  it { should exist }
end

The value of the network_acl_id can be provided as a string.

describe aws_network_acl('acl-001db867a1898981b') do
  it { should exist }
end

Parameters

The network ACL ID is required.

network_acl_id (required)

The ID of the network ACL:

  • must contain between 1 and 50 alphanumeric characters or hyphens
  • should start with acl-
  • cannot end with a hyphen or contain two consecutive hyphens

It can be passed either as a string or as a network_acl_id: 'value' key-value entry in a hash.

Properties

network_acl_id
The ID of the network ACL.
is_default
Indicates whether this is the default network ACL for the VPC.
vpc_id
The ID of the VPC for the network ACL.
owner_id
The ID of the AWS account that owns the network ACL.
associated_subnet_ids
The ID of the associated subnets to the network ACL.
egress
All rules that are applied to traffic leaving the subnet.
ingress
All rules that are applied to traffic incoming to the subnet.
associations
All subnet associations on the network ACL.
tags
A hash with each key-value pair corresponding to a network ACL.
egress_rule_number_*ACL_RULE_NUMBER*
This is a dynamically formed property of the egress ACL rule for a specific ACL_RULE_NUMBER. See below for nested details and examples.
ingress_rule_number_*ACL_RULE_NUMBER*
This is a dynamically formed property of the ingress ACL rule for a specific ACL_RULE_NUMBER. See below for nested details and examples.

Nested Properties of dynamic egress and ingress rule number properties

Nested PropertyDescription
cidr_blockThe IPv4 network range to allow or deny, in CIDR notation.
ipv_6_cidr_blockThe IPv6 network range to allow or deny, in CIDR notation.
protocolThe protocol specified in the entry. Accepted values are: tcp, udp, icmp, or a protocol number.
rule_actionAllows or denies the matching traffic. Accepted values are: allow or deny.
rule_numberThe number of an entry (in other words, rule) in the set of ACL entries.
port_range.fromThe start of the port range specified in the entry.
port_range.toThe end of the port range specified in the entry.
icmp_type_cod.codeThe ICMP code specified in the entry, if any.
icmp_type_code.typeThe ICMP type specified in the entry, if any.

You can find detailed documentation at NetworkAclEntry

Examples

Test that if a network ACL is default for the VPC.

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    it { should be_default }
end

Test that the ID of the VPC is vpc-00727fc4213acee4a.

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    its('vpc_id') { should eq 'vpc-00727fc4213acee4a' }
end

Test that the Associated subnet IDs include subnet-07a323891825bc312.

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    its('associated_subnet_ids') { should include 'subnet-07a323891825bc312' }
end

Test that CIDR Block of ACL egress entry for rule number 100 is 10.3.0.0/18.

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    its('egress_rule_number_100.cidr_block') { should eq '10.3.0.0/18' }
end

Test that Port Ranges of ACL ingress entry for rule number 100 is 443.

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    its('ingress_rule_number_100.port_range.from') { should eq '443' }
    its('ingress_rule_number_100.port_range.to') { should eq '443' }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exist

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    it { should exist }
end

be_default

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    it { should be_default }
end

be_associated (to any subnet)

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    it { should be_associated }
end

have_associations

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    it { should have_associations }
    it { should have_associations(subnet_id: 'subnet-07a323891825bc312') }
end

have_acl_entry_value

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    it { should have_acl_entry_value(cidr_block: '10.3.0.0/18', egress: false, rule_action: 'allow') }
end

have_egress

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    it { should have_egress }
    it { should have_egress(cidr_block: '10.3.0.0/18', rule_action: 'allow') }
    it { should have_egress(rule_action: 'allow') }
    it { should have_egress(cidr_block: '10.3.0.0/18') }
end

have_ingress

describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do
    it { should have_ingress }
    it { should have_ingress(cidr_block: '10.3.0.0/18', rule_action: 'allow') }
    it { should have_ingress(rule_action: 'allow') }
    it { should have_ingress(cidr_block: '10.3.0.0/18') }
end

AWS Permissions

Your Principal will need the EC2:Client:DescribeNetworkAclsResult action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for network ACL, and Actions, Resources, and Condition Keys for Identity And Access Management.

Edit this page on GitHub

Thank you for your feedback!

×