Skip to main content

aws_network_acls Resource

Use the aws_network_acls InSpec audit resource to test the properties of all Amazon network ACLs. To audit a single network ACL, use the aws_network_acl (singular) resource.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_network_acls resource block collects a group of network ACL descriptions and then tests that group.

describe aws_network_acls
  it { should exist }
end

Parameters

This resource does not require any parameters.

Properties

network_acl_ids
The IDs of all network ACLs.

Field: network_acl_id

vpc_ids
The IDs of all the VPCs of the network ACLs.

Field: vpc_id

default
The boolean flag to say whether the network ACL is default or not.

Field: default

default_network_acl_ids
The default network ACL IDs for all the VPCs.

Field: default_network_acl_ids

associated_subnet_ids
The ID of the associated subnets to all the network ACLs.

Field: associated_subnet_ids

network_acl_association_ids
The ID of the association between the subnets and the network ACLs.

Field: network_acl_association_ids

entries_cidr_blocks
The IPv4 network range to allow or deny, in CIDR notation of all the network ACLs.

Field: entries_cidr_blocks

entries_icmp_type_codes
The ICMP code specified in the entry for all the network ACLs.

Field: entries_icmp_type_codes

entries_icmp_type_code_types
The ICMP type specified in the entry for all the network ACLs.

Field: entries_icmp_type_code_types

entries_ipv_6_cidr_blocks
The IPv6 network range to allow or deny, in CIDR notation of all the network ACLs.

Field: entries_ipv_6_cidr_blocks

entries_port_ranges
The ports specified in the entry for all the network ACLs.

Field: entries_port_ranges

entries_protocols
The protocol specified in the entry for all the network ACLs.

Field: entries_protocols

entries_rule_actions
The rule to allow or deny the matching traffic for all the network ACLs.

Field: entries_rule_actions

entries_rule_numbers
The rule number of all ACL entries.

Field: entries_rule_numbers

egress_rule_numbers
The rule number of all egress ACL entries.

Field: egress_rule_numbers

ingress_rule_numbers
The rule number of all ingress ACL entries.

Field: ingress_rule_numbers

owner_ids
The ID of all the AWS accounts that owns all the network ACLs.

Field: owner_ids

tags
A hash, with each key-value pair corresponding to a network ACL tag.

Field: tags

Examples

Ensure that exactly three network ACLs exist.

describe aws_network_acls do
  its('count') { should eq 3 }
end

Filter all network ACLs whose entries have rule number equal to 100.

describe aws_network_acls.where { entries_rule_numbers.include?(100) } do
    it { should exist }
end

Filter all default network ACLs.

describe aws_network_acls.where(default: true) do
    it { should exist }
end

Filter all network ACLs with associated subnet IDs matching subnet-07a323891825bc312.

describe aws_network_acls.where { associated_subnet_ids.include?('subnet-07a323891825bc312') } do
    it { should exist }
end

Filter all network ACLs with entries CIDR blocks matching 10.3.0.0/18.

describe aws_network_acls.where { entries_cidr_blocks.include?('10.3.0.0/18') } do
    it { should exist }
end

Request the IDs of all network ACLs, then test in-depth using aws_network_acl.

aws_network_acls.network_acl_ids.each do |network_acl_id|
  describe aws_network_acl(network_acl_id) do
    it { should be_default }
  end
end

Request the IDs of all network ACLs for rule number 100, then test in-depth using aws_network_acl.

aws_network_acls.where{ ingress_rule_numbers.include?(100) }.network_acl_ids.each do |network_acl_id|
  describe aws_network_acl(network_acl_id) do
    its('egress_rule_number_100.cidr_block') { should eq '10.3.0.0/18' }
    its('egress_rule_number_100.protocol') { should eq '6' }
    its('egress_rule_number_100.rule_action') { should eq 'allow' }
  end
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exist

The control will pass if the ‘describe’ method returns at least one result.

describe aws_network_acls.where( <property>: <value>) do
  it { should exist }
end

Use should_not to test an entity that should not exist.

describe aws_network_acls.where( <property>: <value>) do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the EC2:Client:DescribeNetworkAclsResult action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ElastiCache, and Actions, Resources, and Condition Keys for Identity And Access Management.

Edit this page on GitHub

Thank you for your feedback!

×