aws_ebs_volume
Use the aws_ebs_volume
InSpec audit resource to test properties of a single AWS EBS volume.
Syntax
Ensure an EBS exists
describe aws_ebs_volume('vol-01a2349e94458a507') do
it { should exist }
end
You may also use hash syntax to pass the EBS volume name
describe aws_ebs_volume(name: 'data-vol') do
it { should exist }
end
Parameters
This resource accepts a single parameter, either the EBS Volume name or id. At least one must be provided.
volume_id (required if name
not provided)
The EBS Volume ID which uniquely identifies the volume.
This can be passed as either a string or an volume_id: 'value'
key-value entry in a hash.
name (required if `volumeid` not provided)_
The EBS Volume Name which uniquely identifies the volume.
This must be passed as a name: 'value'
key-value entry in a hash.
See also the AWS documentation on EBS.
Properties
Property | Description |
---|---|
availability_zone | The Availability Zone for the volume. |
encrypted | Indicates whether the volume will be encrypted. |
iops | The number of I/O operations per second (IOPS) that the volume supports. |
kms_key_id | The full ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the volume. |
size | The size of the volume, in GiBs. |
snapshot_id | The snapshot from which the volume was created, if applicable. |
status | The volume state. |
volume_type | The volume type. |
Examples
Test that an EBS Volume does not exist
describe aws_ebs_volume(name: 'data_vol') do
it { should_not exist }
end
Test that an EBS Volume is encrypted
describe aws_ebs_volume(name: 'secure_data_vol') do
it { should be_encrypted }
end
Test that an EBS Volume the correct size
describe aws_ebs_volume(name: 'data_vol') do
its('size') { should cmp 32 }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_ebs_volume(name: 'data_vol') do
it { should exist }
end
describe aws_ebs_volume(name: 'data_vol') do
it { should_not exist }
end
be_encrypted
The be_encrypted
matcher tests if the described EBS Volume is encrypted.
it { should be_encrypted }
AWS Permissions
Your Principal will need the ec2:DescribeVolumes
, and iam:GetInstanceProfile
actions set to allow.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.