Sample code for demonstrating inspec-aws

aws_inspec_sample.rb

# encoding: utf-8
# copyright: 2015, The Authors

title 'AWS Inspec Demo Profile'

control 'aws-production-instances' do
  impact 1.0
  title 'Check Production Instances'
  desc 'Make sure the status of production AWS instances is set to running.'

  describe aws_ec2('i-02b92cf2e35f38804') do
    it { should be_running }
    its('image_id') { should cmp 'ami-cf709ab7'}
  end

  describe aws_ec2('i-055988b6b6bd8be1d') do
    it { should be_running }
    its('instance_type') { should cmp 'c3.xlarge'}
  end
end

control 'aws-access-key' do
  impact 0.7
  title 'Sysadmin access key exists and is in use.'
  desc 'Make sure sysadmin IAM access key exists and has been used in the last 90 days.'

  describe aws_iam_access_key(username: 'scarolan', id: 'AXXXXXXXXXXXXXXXXXXXXX') do
    it { should exist }
    it { should be_active }
    its('create_date') { should be > Time.now - 730 * 86400 }
    its('last_used_date') { should be > Time.now - 90 * 86400 }
  end
end

control 'sysadmin-iam-user' do
  impact 0.5
  desc 'Make sure sysadmin username \'scarolan\' exists and has MFA enabled.'

  describe aws_iam_user(name: 'scarolan') do
    its('has_mfa_enabled?') { should be true }
    its('has_console_password?') { should be true }
  end
end

control 'mfa-enabled-for-all' do
  title 'MFA Enabled for All Users?'
  # Make sure users have MFA enabled
  # describe aws_iam_users.where(has_mfa_enabled?: false) do
  #   it { should_not exist }
  # end
end