aws_ebs_volume

Use the aws_ebs_volume InSpec audit resource to test properties of a single AWS EBS volume.

Syntax

Ensure an EBS exists

describe aws_ebs_volume('vol-01a2349e94458a507') do
  it { should exist }
end

You may also use hash syntax to pass the EBS volume name

describe aws_ebs_volume(name: 'data-vol') do
  it { should exist }
end

Parameters

This resource accepts a single parameter, either the EBS Volume name or id. At least one must be provided.

volume_id (required if name not provided)

The EBS Volume ID which uniquely identifies the volume. This can be passed as either a string or an volume_id: 'value' key-value entry in a hash.

name (required if `volumeid` not provided)_

The EBS Volume Name which uniquely identifies the volume. This must be passed as a name: 'value' key-value entry in a hash.

See also the AWS documentation on EBS.

Properties

Property Description
availability_zone The Availability Zone for the volume.
encrypted Indicates whether the volume will be encrypted.
iops The number of I/O operations per second (IOPS) that the volume supports.
kms_key_id The full ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the volume.
size The size of the volume, in GiBs.
snapshot_id The snapshot from which the volume was created, if applicable.
status The volume state.
volume_type The volume type.

Examples

Test that an EBS Volume does not exist
describe aws_ebs_volume(name: 'data_vol') do
  it { should_not exist }
end
Test that an EBS Volume is encrypted
describe aws_ebs_volume(name: 'secure_data_vol') do
  it { should be_encrypted }
end
Test that an EBS Volume the correct size
describe aws_ebs_volume(name: 'data_vol') do
  its('size') { should cmp 32 }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_ebs_volume(name: 'data_vol') do
  it { should exist }
end

describe aws_ebs_volume(name: 'data_vol') do
  it { should_not exist }
end

be_encrypted

The be_encrypted matcher tests if the described EBS Volume is encrypted.

it { should be_encrypted }

AWS Permissions

Your Principal will need the ec2:DescribeVolumes, and iam:GetInstanceProfile actions set to allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.