aws_amis Resource
Use the aws_amis
InSpec audit resource to test properties of some or all AWS AMIs.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure you have exactly 3 AMIs available to you.
describe aws_amis(all_amis: 'true') do
its('image_ids.count') { should cmp 3 }
end
Check if you have a public AMI for the Linux/UNIX platform available to you.
describe aws_amis(is_public: 'true', platform_details: 'Linux/UNIX') do
it { should exist }
end
Parameters
This resource must be provided with the parameter ‘all_amis’ (returns ALL AMIs available to you) OR a combination of the following.
all_amis
(optional)OR
architecture
(optional)
creation_date
(optional)image_id
(optional)image_type
(optional)is_public
(optional)kernel_id
(optional)owner_id
(optional)owners
(optional)- Scopes the results to images with the specified owners. You can specify a combination of AWS account IDs,
self
,amazon
, andaws-marketplace
.
- Scopes the results to images with the specified owners. You can specify a combination of AWS account IDs,
If you omit this parameter, the results include all images for which you have launch permissions, regardless of ownership.
owner_alias
(optional)
platform
(optional)
product_code
(optional)
platform_details
(optional)
usage_operation
(optional)
ramdisk_id
(optional)
state
(optional)
state_reason_code
(optional)
state_reason_message
(optional)
description
(optional)
ena_support
(optional)
hypervisor
(optional)
name
(optional)
root_device_name
(optional)root_device_type
(optional)sriov_net_support
(optional)virtualization_type
(optional)This can be passed either as a string or as a
all_amis: 'value'
key-value entry in a hash.
Properties
architectures
- The architecture of the image.
creation_dates
- The date and time the image was created.
image_ids
- The ID of the AMI.
image_locations
- The location of the AMI.
image_types
- The type of image.
public
- Indicates whether the image has public launch permissions.
kernel_ids
- The kernel associated with the image, if any. Only applicable for machine images.
owner_ids
- The AWS account ID of the image owner.
platforms
- This value is set to windows for Windows AMIs; otherwise, it is blank.
platform_details
- The platform details associated with the billing code of the AMI.
usage_operations
- The operation of the Amazon EC2 instance and the billing code that is associated with the AMI.
product_codes
- Any product codes associated with the AMI.
ramdisk_ids
- The RAM disk associated with the image, if any. Only applicable for machine images.
states
- The state of the AMI.
block_device_mappings
- Any block device mapping entries.
descriptions
- The description of the AMI that was provided during image creation.
ena_support
- Specifies whether enhanced networking with ENA is enabled.
hypervisors
- The hypervisor type of the image.
image_owner_alias
- The AWS account alias or the AWS account ID of the AMI owner.
names
- The name of the AMI that was provided during image creation.
root_device_names
- The device name of the root device volume.
root_device_types
- The type of root device used by the AMI.
sriov_net_supports
- Specifies whether enhanced networking with the Intel 82599 Virtual Function interface is enabled.
state_reasons
- Provides the reason for the state change.
tags
- Provides any tags assigned to the image.
virtualization_types
- The type of virtualization of the AMI.
Examples
Ensure ID of an AMI exists.
describe aws_amis(all_amis: 'true') do
its('image_ids') { should include 'image-id-43542' }
end
Interrogate AMIs Belong to the Current User Only.
describe aws_amis(owners: 'self') do
its('owner_ids.uniq.size') { should be 1 }
its('owner_ids.uniq.first') { should eq 12345678 }
end
Interrogate AMIs Belong to the Current User and the Amazon.
describe aws_amis(owners: ['self', 'amazon']) do
it { should exist }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_amis(all_amis: 'true').where( <property>: <value>) do
it { should exist }
end
describe aws_amis(all_amis: 'true').where( <property>: <value>) do
it { should_not exist }
end
AWS Permissions
Your Principal will need the EC2:Client:DescribeImages
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2.