aws_security_groups

Use the aws_security_groups InSpec audit resource to test properties of some or all security groups.

Security groups are a networking construct that contain ingress and egress rules for network communications. Security groups may be attached to EC2 instances, as well as certain other AWS resources. Along with Network Access Control Lists, Security Groups are one of the two main mechanisms of enforcing network-level security.

Syntax

An aws_security_groups resource block uses an optional filter to select a group of security groups and then tests that group.

describe aws_security_groups do
  its('entries.count') { should be > 1 }
end

Parameters

This resource does not expect any parameters.

See also the AWS documentation on Security Groups.

Properties

Property Description
group_ids The name of the auto scaling launch configuration associated with the auto scaling group
group_names An integer indicating the maximum number of instances in the auto scaling group
vpc_ids An integer indicating the desired number of instances in the auto scaling group
tags An integer indicating the minimum number of instances in the auto scaling group
entries Provides access to the raw results of the query, which can be treated as an array of hashes.

Examples

The following examples show how to use this InSpec audit resource.

Look for a particular security group in just one VPC
describe aws_security_groups.where( vpc_id: 'vpc-12345678') do
  its('group_ids') { should include('sg-abcdef12')}
end
Examine the default security group in all VPCs
describe aws_security_groups.where( group_name: 'default') do
  it { should exist }
end
Allow at most 100 security groups on the account
describe aws_security_groups do
  its('entries.count') { should be <= 100}
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the filter returns at least one result.

Use should_not if you expect zero matches.

# You will always have at least one SG, the VPC default SG
describe aws_security_groups
  it { should exist }
end

AWS Permissions

Your Principal will need the ec2:DescribeSecurityGroups action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2.