aws_ami Resource
Use the aws_ami
InSpec audit resource to test properties of a single AWS AMI.
For additional information, including details on parameters and properties, see the AWS documentation on EC2 Amazon Machine Images.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
An aws_ami
resource block declares the tests for a single AWS AMI by image id.
describe aws_ami(image_id: 'aki-2349e94458a507') do
it { should exist }
end
Parameters
image_id
(required)This resource accepts a single parameter, the AMI Image ID. This can be passed either as a string or as a
image_id: 'value'
key-value entry in a hash.
Properties
architecture
- The architecture of the image.
creation_date
- The date and time the image was created.
image_id
- The ID of the AMI.
image_location
- The location of the AMI.
image_type
- The type of image.
public
- Indicates whether the image has public launch permissions.
kernel_id
- The kernel associated with the image, if any. Only applicable for machine images.
owner_id
- The AWS account ID of the image owner.
platform
- This value is set to windows for Windows AMIs; otherwise, it is blank.
platform_details
- The platform details associated with the billing code of the AMI.
usage_operation
- The operation of the Amazon EC2 instance and the billing code that is associated with the AMI.
product_codes
- Any product codes associated with the AMI.
ramdisk_id
- The RAM disk associated with the image, if any. Only applicable for machine images.
state
- The state of the AMI.
block_device_mappings
- Any block device mapping entries.
description
- The description of the AMI that was provided during image creation.
ena_support
- Specifies whether enhanced networking with ENA is enabled.
hypervisor
- The hypervisor type of the image.
image_owner_alias
- The AWS account alias or the AWS account ID of the AMI owner.
name
- The name of the AMI that was provided during image creation.
root_device_name
- The device name of the root device volume.
root_device_type
- The type of root device used by the AMI.
sriov_net_support
- Specifies whether enhanced networking with the Intel 82599 Virtual Function interface is enabled.
state_reason
- Provides the reason for the state change.
tags
- Provides any tags assigned to the image.
virtualization_type
- The type of virtualization of the AMI.
There are also additional properties available. For a comprehensive list, see the API reference documentation
Examples
Check if an AMI is public.
describe aws_ami(image_id: 'aki-25348fd4323') do
it { should be_public }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
be_public
The be_public
matcher tests if the AMI has public launch permissons.
describe aws_ami(image_id: 'aki-1234') do
it { should be_public }
end
describe aws_ami(image_id: 'aki-6789') do
it { should_not be_public }
end
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_ami(image_id: 'aki-1234') do
it { should exist }
end
describe aws_ami(image_id: 'aki-6789') do
it { should_not exist }
end
AWS Permissions
Your Principal will need the EC2:Client:DescribeImages
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2.