Chef InSpec and AWS
Chef InSpec has resources for auditing AWS.
Initialize an InSpec profile for auditing AWS
With Chef InSpec 4 or greater, you can create a profile for testing AWS resources with inspec init profile
:
$ inspec init profile --platform aws <PROFILE_NAME>
Create new profile at /Users/me/<PROFILE_NAME>
* Creating directory libraries
* Creating file README.md
* Creating directory controls
* Creating file controls/example.rb
* Creating file inspec.yml
* Creating file inputs.yml
* Creating file libraries/.gitkeep
Assuming the inputs.yml
file contains your AWS project ID, you can execute this sample profile using the following command:
inspec exec <PROFILE_NAME> --input-file=<PROFILE_NAME>/inputs.yml -t gcp://
Set AWS credentials
Chef InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities.
Create an IAM user in the AWS console, with your choice of username. Check the box marked “Programmatic Access.”
On the Permissions screen, choose Direct Attach. Select the AWS-managed IAM profile named “ReadOnlyAccess.” If you wish to restrict the user further, you may do so; see individual Chef InSpec resources to identify which permissions are required.
After generating the key, record the access key ID and secret key.
Provide credentials with environment variables
You may provide the credentials to Chef InSpec by setting the following environment variables: AWS_REGION
, AWS_ACCESS_KEY_ID
, and AWS_SECRET_ACCESS_KEY
. You may also use AWS_PROFILE
, or if you are using MFA, AWS_SESSION_TOKEN
. See the AWS Command Line Interface Docs for details.
Once you have your environment variables set, you can verify your credentials by running:
$ inspec detect -t aws://
== Platform Details
Name: aws
Families: cloud, api
Release: aws-sdk-v2.10.125
Provide credentials using Chef InSpec target option
Look for a file in your home directory named ~/.aws/credentials
. If it does not exist, create it. Choose a name for your profile; here, we’re using the name ‘auditing’. Add your credentials as a new profile, in INI format:
[auditing]
aws_access_key_id = AKIA....
aws_secret_access_key = 1234....abcd
You may now run Chef InSpec using the --target
/ -t
option, using the format -t aws://region/profile
. For example, to connect to the Ohio region using a profile named ‘auditing’, use -t aws://us-east-2/auditing
.
To verify your credentials, run:
$ inspec detect -t aws://
== Platform Details
Name: aws
Families: cloud, api
Release: aws-sdk-v2.10.125
AWS resources
- aws_alb Resource
- aws_albs Resource
- aws_ami Resource
- aws_amis Resource
- aws_amplify_app resource
- aws_amplify_apps resource
- aws_amplify_branch resource
- aws_amplify_branches resource
- aws_api_gateway_deployment Resource
- aws_api_gateway_deployments Resource
- aws_api_gateway_documentation_part Resource
- aws_api_gateway_documentation_parts Resource
- aws_api_gateway_documentation_version Resource
- aws_api_gateway_documentation_versions Resource
- aws_api_gateway_method Resource
- aws_api_gateway_methods Resource
- aws_api_gateway_model Resource
- aws_api_gateway_models Resource
- aws_api_gateway_response Resource
- aws_api_gateway_responses Resource
- aws_api_gateway_restapi Resource
- aws_api_gateway_restapis Resource
- aws_api_gateway_stage Resource
- aws_api_gateway_stages Resource
- aws_apigateway_account Resource
- aws_apigateway_api_key Resource
- aws_apigateway_api_keys Resource
- aws_apigateway_authorizer Resource
- aws_apigateway_authorizers Resource
- aws_apigateway_base_path_mapping Resource
- aws_apigateway_base_path_mappings Resource
- aws_apigateway_client_certificate Resource
- aws_apigateway_client_certificates Resource
- aws_application_autoscaling_scalable_target Resource
- aws_application_autoscaling_scalable_targets Resource
- aws_application_autoscaling_scaling_policies Resource
- aws_application_autoscaling_scaling_policy Resource
- aws_athena_work_group Resource
- aws_athena_work_groups Resource
- aws_auto_scaling_group Resource
- aws_auto_scaling_groups Resource
- aws_autoscaling_scaling_policies Resource
- aws_autoscaling_scaling_policy Resource
- aws_batch_compute_environment Resource
- aws_batch_compute_environments Resource
- aws_batch_job_definition Resource
- aws_batch_job_definitions Resource
- aws_batch_job_queue Resource
- aws_batch_job_queues Resource
- aws_cloud_formation_stack_set Resource
- aws_cloud_formation_stack_sets Resource
- aws_cloudformation_stack Resource
- aws_cloudformation_stacks Resource
- aws_cloudformation_template Resource
- aws_cloudfront_cache_policies Resource
- aws_cloudfront_cache_policy Resource
- aws_cloudfront_distribution Resource
- aws_cloudfront_distributions Resource
- aws_cloudfront_key_group Resource
- aws_cloudfront_key_groups Resource
- aws_cloudfront_origin_access_identities Resource
- aws_cloudfront_origin_access_identity Resource
- aws_cloudfront_origin_request_policy Resource
- aws_cloudfront_public_key Resource
- aws_cloudfront_public_keys Resource
- aws_cloudfront_realtime_log_config Resource
- aws_cloudfront_realtime_log_configs Resource
- aws_cloudfront_streaming_distribution Resource
- aws_cloudfront_streaming_distributions Resource
- aws_cloudtrail_trail Resource
- aws_cloudtrail_trails Resource
- aws_cloudwatch_alarm Resource
- aws_cloudwatch_anomaly_detector Resource
- aws_cloudwatch_anomaly_detectors Resource
- aws_cloudwatch_composite_alarm Resource
- aws_cloudwatch_composite_alarms Resource
- aws_cloudwatch_dashboard Resource
- aws_cloudwatch_dashboards Resource
- aws_cloudwatch_insight_rules Resource
- aws_cloudwatch_log_group Resource
- aws_cloudwatch_log_metric_filter Resource
- aws_cloudwatch_metric_stream Resource
- aws_cloudwatch_metric_streams Resource
- aws_cloudwatchlogs_destination Resource
- aws_cloudwatchlogs_destinations Resource
- aws_cloudwatchlogs_log_stream Resource
- aws_cloudwatchlogs_log_streams Resource
- aws_cloudwatchlogs_subscription_filter Resource
- aws_cloudwatchlogs_subscription_filters Resource
- aws_cognito_identity_pool Resource
- aws_cognito_identity_pools Resource
- aws_cognito_userpool Resource
- aws_cognito_userpool_client Resource
- aws_cognito_userpool_clients Resource
- aws_cognito_userpools Resource
- aws_config_delivery_channel Resource
- aws_config_recorder Resource
- aws_db_parameter_group Resource
- aws_db_parameter_groups Resource
- aws_db_subnet_group Resource
- aws_db_subnet_groups Resource
- aws_dhcp_options Resource
- aws_dms_endpoint Resource
- aws_dms_endpoints Resource
- aws_dms_replication_instance Resource
- aws_dms_replication_instances Resource
- aws_dms_replication_subnet_group Resource
- aws_dms_replication_subnet_groups Resource
- aws_dynamodb_table Resource
- aws_dynamodb_tables Resource
- aws_ebs_snapshot Resource
- aws_ebs_snapshots Resource
- aws_ebs_volume Resource
- aws_ebs_volumes Resource
- aws_ec2_capacity_reservation Resource
- aws_ec2_capacity_reservations Resource
- aws_ec2_carrier_gateway Resource
- aws_ec2_carrier_gateways Resource
- aws_ec2_client_vpn_authorization_rule Resource
- aws_ec2_client_vpn_authorization_rules Resource
- aws_ec2_client_vpn_endpoint Resource
- aws_ec2_client_vpn_endpoints Resource
- aws_ec2_client_vpn_route Resource
- aws_ec2_client_vpn_routes Resource
- aws_ec2_client_vpn_target_network_association Resource
- aws_ec2_client_vpn_target_network_associations Resource
- aws_ec2_customer_gateway Resource
- aws_ec2_customer_gateways Resource
- aws_ec2_dhcp_option Resource
- aws_ec2_dhcp_options Resource
- aws_ec2_egress_only_internet_gateway Resource
- aws_ec2_egress_only_internet_gateways Resource
- aws_ec2_eip Resource
- aws_ec2_eip_association Resource
- aws_ec2_eip_associations Resource
- aws_ec2_eips Resource
- aws_ec2_fleet Resource
- aws_ec2_fleets Resource
- aws_ec2_host Resource
- aws_ec2_hosts Resource
- aws_ec2_instance Resource
- aws_ec2_instances Resource
- aws_ec2_internet_gateway Resource
- aws_ec2_internet_gateways Resource
- aws_ec2_launch_template Resource
- aws_ec2_launch_templates Resource
- aws_ec2_network_insights_analysis Resource
- aws_ec2_network_insights_analysis_plural Resource
- aws_ec2_network_insights_path Resource
- aws_ec2_network_insights_paths Resource
- aws_ec2_network_interface Resource
- aws_ec2_network_interface_attachment Resource
- aws_ec2_network_interface_attachments Resource
- aws_ec2_network_interface_permission Resource
- aws_ec2_network_interface_permissions Resource
- aws_ec2_network_interfaces Resource
- aws_ec2_placement_group Resource
- aws_ec2_placement_groups Resource
- aws_ec2_prefix_list Resource
- aws_ec2_prefix_lists Resource
- aws_ec2_spot_fleet Resource
- aws_ec2_spot_fleets Resource
- aws_ec2_traffic_mirror_filter Resource
- aws_ec2_traffic_mirror_filters Resource
- aws_ec2_traffic_mirror_session Resource
- aws_ec2_traffic_mirror_sessions Resource
- aws_ec2_transit_gateway_attachment Resource
- aws_ec2_transit_gateway_attachments Resource
- aws_ec2_transit_gateway_route_table Resource
- aws_ec2_transit_gateway_route_table_association Resource
- aws_ec2_transit_gateway_route_table_associations Resource
- aws_ec2_transit_gateway_route_table_propagation Resource
- aws_ec2_transit_gateway_route_table_propagations Resource
- aws_ec2_transit_gateway_route_tables Resource
- aws_ec2_volume_attachment Resource
- aws_ec2_volume_attachments Resource
- aws_ec2_vpc_peering_connection Resource
- aws_ec2_vpc_peering_connections Resource
- aws_ec2_vpn_connection_routes Resource
- aws_ec2_vpn_gateway_route_propagation Resource
- aws_ec2_vpn_gateway_route_propagations Resource
- aws_ecr Resource
- aws_ecr_image Resource
- aws_ecr_images Resource
- aws_ecr_repositories Resource
- aws_ecr_repository Resource
- aws_ecr_repository_policy Resource
- aws_ecrpublic_repositories Resource
- aws_ecrpublic_repository Resource
- aws_ecs_cluster Resource
- aws_ecs_clusters Resource
- aws_ecs_service Resource
- aws_ecs_services Resource
- aws_ecs_task_definition Resource
- aws_ecs_task_definitions Resource
- aws_efs_file_system Resource
- aws_efs_file_systems Resource
- aws_efs_mount_target Resource
- aws_efs_mount_targets Resource
- aws_eks_cluster Resource
- aws_eks_clusters Resource
- aws_elasticache_cluster Resource
- aws_elasticache_cluster_node Resource
- aws_elasticache_clusters Resource
- aws_elasticache_replication_group Resource
- aws_elasticache_replication_groups Resource
- aws_elasticloadbalancingv2_listener Resource
- aws_elasticloadbalancingv2_listener_certificate Resource
- aws_elasticloadbalancingv2_listener_certificates Resource
- aws_elasticloadbalancingv2_listener_rule Resource
- aws_elasticloadbalancingv2_listener_rules Resource
- aws_elasticloadbalancingv2_listeners Resource
- aws_elasticloadbalancingv2_target_group Resource
- aws_elasticloadbalancingv2_target_groups Resource
- aws_elasticsearchservice_domain Resource
- aws_elasticsearchservice_domains Resource
- aws_elb Resource
- aws_elbs Resource
- aws_emr_cluster Resource
- aws_emr_clusters Resource
- aws_emr_security_configuration Resource
- aws_emr_security_configurationss Resource
- aws_eventbridge_rule Resource
- aws_eventbridge_rules Resource
- aws_flow_log Resource
- aws_glue_crawler Resource
- aws_glue_crawlers Resource
- aws_glue_database Resource
- aws_glue_databases Resource
- aws_guardduty_detector Resource
- aws_guardduty_detectors Resource
- aws_hosted_zone Resource
- aws_hosted_zones Resource
- aws_iam_access_key Resource
- aws_iam_access_keys Resource
- aws_iam_account_alias Resource
- aws_iam_group Resource
- aws_iam_groups Resource
- aws_iam_inline_policy Resource
- aws_iam_instance_profile Resource
- aws_iam_instance_profiles Resource
- aws_iam_managed_policies Resource
- aws_iam_managed_policy Resource
- aws_iam_oidc_provider Resource
- aws_iam_oidc_providers Resource
- aws_iam_password_policy Resource
- aws_iam_policies Resource
- aws_iam_policy Resource
- aws_iam_role Resource
- aws_iam_roles Resource
- aws_iam_root_user Resource
- aws_iam_saml_provider Resource
- aws_iam_saml_providers Resource
- aws_iam_server_certificate Resource
- aws_iam_server_certificates Resource
- aws_iam_service_linked_role_deletion_status Resource
- aws_iam_ssh_public_key Resource
- aws_iam_ssh_public_keys Resource
- aws_iam_user Resource
- aws_iam_users Resource
- aws_iam_virtual_mfa_devices Resource
- aws_internet_gateway Resource
- aws_internet_gateways Resource
- aws_kms_key Resource
- aws_kms_keys Resource
- aws_lambda Resource
- aws_lambda_alias Resource
- aws_lambda_aliases Resource
- aws_lambda_code_signing_config Resource
- aws_lambda_code_signing_configs Resource
- aws_lambda_event_invoke_config Resource
- aws_lambda_event_invoke_configs Resource
- aws_lambda_event_source_mapping Resource
- aws_lambda_event_source_mappings Resource
- aws_lambda_layer_version_permission Resource
- aws_lambda_permission Resource
- aws_lambda_permissions Resource
- aws_lambda_version Resource
- aws_lambda_versions Resource
- aws_lambdas Resource
- aws_launch_configuration Resource
- aws_logs_metric_filter Resource
- aws_logs_metric_filters Resource
- aws_mq_broker Resource
- aws_mq_brokers Resource
- aws_mq_configuration Resource
- aws_mq_configurations Resource
- aws_nat_gateway Resource
- aws_nat_gateways Resource
- aws_network_acl Resource
- aws_network_acls Resource
- aws_network_firewall_firewall Resource
- aws_network_firewall_firewall_policies Resource
- aws_network_firewall_firewall_policy Resource
- aws_network_firewall_firewalls Resource
- aws_network_firewall_logging_configuration Resource
- aws_network_firewall_rule_group Resource
- aws_network_firewall_rule_groups Resource
- aws_network_manager_customer_gateway_association Resource
- aws_network_manager_customer_gateway_associations Resource
- aws_network_manager_device Resource
- aws_network_manager_devices Resource
- aws_network_manager_global_network Resource
- aws_network_manager_global_networks Resource
- aws_organizations_member Resource
- aws_ram_resource_share Resource
- aws_ram_resource_shares Resource
- aws_rds_cluster Resource
- aws_rds_clusters Resource
- aws_rds_db_cluster_snapshot Resource
- aws_rds_db_cluster_snapshots Resource
- aws_rds_db_proxy Resource
- aws_rds_db_proxy_endpoint Resource
- aws_rds_db_proxy_endpoints Resource
- aws_rds_db_proxy_target_group Resource
- aws_rds_db_proxy_target_groups Resource
- aws_rds_db_security_group Resource
- aws_rds_db_security_groups Resource
- aws_rds_event_subscription Resource
- aws_rds_event_subscriptions Resource
- aws_rds_global_cluster Resource
- aws_rds_global_clusters Resource
- aws_rds_group_option Resource
- aws_rds_group_options Resource
- aws_rds_instance Resource
- aws_rds_instances Resource
- aws_rds_snapshot Resource
- aws_rds_snapshot_attributes Resource
- aws_rds_snapshots Resource
- aws_redshift_cluster Resource
- aws_redshift_cluster_parameter_group Resource
- aws_redshift_cluster_parameter_groups Resource
- aws_redshift_clusters Resource
- aws_region Resource
- aws_regions Resource
- aws_route_table Resource
- aws_route_tables Resource
- aws_route53_record_set Resource
- aws_route53_record_sets Resource
- aws_route53resolver_resolver_endpoint Resource
- aws_route53resolver_resolver_endpoints Resource
- aws_route53resolver_resolver_rule Resource
- aws_route53resolver_resolver_rule_association Resource
- aws_route53resolver_resolver_rule_associations Resource
- aws_route53resolver_resolver_rules Resource
- aws_s3_access_point Resource
- aws_s3_access_points Resource
- aws_s3_bucket Resource
- aws_s3_bucket_object Resource
- aws_s3_bucket_objects Resource
- aws_s3_bucket_policy Resource
- aws_s3_buckets Resource
- aws_sdb_domains Resource
- aws_secretsmanager_secret Resource
- aws_secretsmanager_secrets Resource
- aws_security_group Resource
- aws_security_groups Resource
- aws_securityhub_hub Resource
- aws_servicecatalog_cloud_formation_product Resource
- aws_servicecatalog_launch_role_constraint Resource
- aws_servicecatalog_launch_role_constraints Resource
- aws_servicecatalog_portfolio_principal_association Resource
- aws_servicecatalog_portfolio_principal_associations Resource
- aws_servicecatalog_portfolio_product_association Resource
- aws_servicecatalog_portfolio_product_associations Resource
- aws_ses_receipt_rule Resource
- aws_ses_receipt_rule_set Resource
- aws_ses_receipt_rule_sets Resource
- aws_ses_template Resource
- aws_ses_templates Resource
- aws_shield_subscription Resource
- aws_signer_profile_permissions Resource
- aws_signer_signing_profile Resource
- aws_signer_signing_profiles Resource
- aws_sns_subscription Resource
- aws_sns_subscriptions Resource
- aws_sns_topic Resource
- aws_sns_topics Resource
- aws_sqs_queue Resource
- aws_sqs_queues Resource
- aws_ssm_activation Resource
- aws_ssm_activations Resource
- aws_ssm_association Resource
- aws_ssm_associations Resource
- aws_ssm_document Resource
- aws_ssm_documents Resource
- aws_ssm_maintenance_window Resource
- aws_ssm_maintenance_window_target Resource
- aws_ssm_maintenance_window_targets Resource
- aws_ssm_maintenance_window_task Resource
- aws_ssm_maintenance_window_tasks Resource
- aws_ssm_maintenance_windows Resource
- aws_ssm_parameter Resource
- aws_ssm_parameters Resource
- aws_ssm_patch_baseline Resource
- aws_ssm_patch_baselines Resource
- aws_ssm_resource_compliance_summaries Resource
- aws_ssm_resource_compliance_summary Resource
- aws_ssm_resource_data_syncs Resource
- aws_stepfunctions_activities Resource
- aws_stepfunctions_activity Resource
- aws_stepfunctions_state_machine Resource
- aws_stepfunctions_state_machines Resource
- aws_sts_caller_identity Resource
- aws_subnet Resource
- aws_subnets Resource
- aws_synthetics_canaries Resource
- aws_synthetics_canary Resource
- aws_transfer_user Resource
- aws_transfer_users Resource
- aws_transit_gateway Resource
- aws_transit_gateway_connect Resource
- aws_transit_gateway_connects Resource
- aws_transit_gateway_multicast_domain Resource
- aws_transit_gateway_multicast_domain_association Resource
- aws_transit_gateway_multicast_domain_associations Resource
- aws_transit_gateway_multicast_domains Resource
- aws_transit_gateway_multicast_group_member Resource
- aws_transit_gateway_multicast_group_members Resource
- aws_transit_gateway_multicast_group_source Resource
- aws_transit_gateway_multicast_group_sources Resource
- aws_transit_gateway_route Resource
- aws_transit_gateway_routes Resource
- aws_vpc Resource
- aws_vpc_endpoint Resource
- aws_vpc_endpoint_connection_notification Resource
- aws_vpc_endpoint_connection_notifications Resource
- aws_vpc_endpoint_service Resource
- aws_vpc_endpoint_service_permission Resource
- aws_vpc_endpoint_service_permissions Resource
- aws_vpc_endpoint_services Resource
- aws_vpc_endpoints Resource
- aws_vpcs Resource
- aws_vpn_connections Resource
- aws_vpn_gateway Resource
- aws_vpn_gateways Resource
- aws_waf_byte_match_set resource
- aws_waf_byte_match_sets resource
- aws_waf_ip_set resource
- aws_waf_ip_sets resource
- aws_waf_rule resource
- aws_waf_rules resource
- aws_waf_size_constraint_set resource
- aws_waf_size_constraint_sets resource
- aws_waf_sql_injection_match_set resource
- aws_waf_sql_injection_match_sets resource
- aws_waf_web_acl resource
- aws_waf_web_acls resource
- aws_waf_xss_match_set resource
- aws_waf_xss_match_sets resource