Skip to main content

aws_ssm_maintenance_windows Resource

Use the aws_ssm_maintenance_windows InSpec audit resource to test properties of multiple AWS Systems Manager (SSM) maintenance windows.

The AWS::SSM::MaintenanceWindow resource represents general information about a maintenance window for AWS Systems Manager.

For additional information, including details on parameters and properties, see the AWS documentation on the AWS::SSM::MaintenanceWindow resource type.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

Ensure that a maintenance window exists.

describe aws_ssm_maintenance_windows do
  it { should exist }
end

Parameters

This resource does not require any parameters.

Properties

window_ids
The ID of the maintenance window.

Field: window_id

names
The name of the maintenance window.

Field: name

descriptions
A description of the maintenance window.

Field: description

enabled
Indicates whether the maintenance window is enabled.

Field: enabled

durations
The duration of the maintenance window in hours.

Field: duration

cutoffs
The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution.

Field: cutoff

schedules
The schedule of the maintenance window in the form of a cron or rate expression.

Field: schedule

schedule_timezones
The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format.

Field: schedule_timezone

schedule_offsets
The number of days to wait to run a maintenance window after the scheduled cron expression date and time.

Field: schedule_offset

end_dates
The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive.

Field: end_date

start_dates
The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active.

Field: start_date

next_execution_times
The next time the maintenance window will actually run, taking into account any specified times for the maintenance window to become active or inactive.

Field: next_execution_time

Examples

Ensure a maintenance window ID is available.

describe aws_ssm_maintenance_windows do
  its('window_ids') { should include 'MAINTENANCE_WINDOW_ID' }
end

Ensure a maintenance window name is available.

describe aws_ssm_maintenance_windows do
  its('names') { should include 'MAINTENANCE_WINDOW_NAME' }
end

Verify a maintenance window is enabled.

describe aws_ssm_maintenance_windows do
  its('enabled') { should include true }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

The controls will pass if the describe method returns at least one result.

exist

Use should to test that the entity exists.

describe aws_ssm_maintenance_windows do
  it { should exist }
end

Use should_not to test the entity does not exist.

describe aws_ssm_maintenance_windows do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the SSM:Client:DescribeMaintenanceWindowsResult action with Effect set to Allow.

Edit this page on GitHub

Thank you for your feedback!

×