aws_config_recorder
Use the aws_config_recorder
InSpec audit resource to test properties of your AWS Config Service.
The AWS Config service can monitor and record changes to your AWS resource configurations. The Aws Config Recorder is used to detect changes in resource configurations and capture these changes as configuration items.
As of April 2018, you are only permitted one configuration recorder per region.
Syntax
Ensure that an auto scaling group exists and has the correct scale sizes
describe aws_config_recorder('my-recorder') do
it { should exist }
end
You may also use hash syntax to pass the recorder name
describe aws_config_recorder(recorder_name: 'my-recorder') do
it { should exist }
end
Since you may only have one recorder per region, and InSpec connections are per-region, you may also omit the recorder name to obtain the one recorder (if any) that exists:
describe aws_config_recorder do
it { should exist }
end
Parameters
recorder_name (optional)
This resource accepts a single parameter, the Configuration Recorder Name.
This can be passed either as a string or as a recorder_name: 'value'
key-value entry in a hash.
See also the AWS documentation on Configuration.
Properties
Property | Description |
---|---|
recorder_name | The name of the recorder. By default, AWS Config automatically assigns the name “default” when creating the configuration recorder. You cannot change the assigned name. |
role_arn | Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account. |
resource_types | A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (i.e. AWS::EC2::Instance) |
Examples
Test if the recorder is active and recording
describe aws_config_recorder do
it { should be_recording }
end
Ensure the role_arn is correct for the recorder
The role is used to grant permissions to S3 Buckets, SNS topics and to get configuration details for supported AWS resources. describe awsconfigrecorder do its(‘rolearn’) { should eq ‘arn:aws:iam::721741954427:role/MyRecorder’ } end
Test the recorder is monitoring changes to the correct resources.
describe aws_config_recorder do
its('resource_types') { should include 'AWS::EC2::CustomerGateway' }
its('resource_types') { should include 'AWS::EC2::EIP' }
end
Matchers
be_recording
Ensure the recorder is active
it { should be_recording }
be_recording_all_resource_types
Indicates if the ConfigurationRecorder will record changes for all resources, regardless of type. If this is true, resource_types is ignored.
it { should be_recording_all_resource_types }
be_recording_all_global_types
Indicates whether the ConfigurationRecorder will record changes for global resource types (such as Principals).
it { should be_recording_all_global_types }
AWS Permissions
Your Principal will need the config:DescribeConfigurationRecorders
action with Effect set to Allow.
You can find detailed documentation at Actions, Resources, and Condition Keys for AWS Config.