aws_sns_subscription

Use the aws_sns_subscription InSpec audit resource to test detailed properties of a AWS SNS Subscription.

Syntax

An aws_sns_subscription resource block uses resource parameters to search for a SNS Subscription, and then tests that subscriptions properties. If no Subscriptions match, no error is raised, but the exists matcher will return false and all properties will be nil.

describe aws_sns_subscription('arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6') do
  it { should exist }
end

Parameters

subscription_arn (required)

This resource accepts a single parameter, the subscriptionarn. This can be passed either as a string or as a `subscriptionarn: ‘value’` key-value entry in a hash.

See also the AWS documentation on SNS.

Properties

Property Description
arn An integer indicating the minimum number of instances in the auto scaling group
owner An integer indicating the maximum number of instances in the auto scaling group
raw_message_delivery An integer indicating the desired number of instances in the auto scaling group
topic_arn The name of the auto scaling launch configuration associated with the auto scaling group
protocol An array of strings corresponding to the subnet IDs associated with the auto scaling group
confirmation_was_authenticated An hash with each key-value pair corresponding to a tag associated with the entity

Examples

Inspect the endpoint
describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
  # If protocol is 'sms', this should be a phone number:
  its('endpoint') { should cmp '+16105551234' }
  # If protocol is 'email' or 'email-json', endpoint should be an email address
  its('endpoint') { should cmp 'myemail@example.com' }
  # If protocal is 'http', endpoint should be a URL beginning with 'https://'
  its('endpoint') { should cmp 'https://www.exampleurl.com' }
  # If the protocol is 'lambda', its endpoint should be the ARN of a AWS Lambda function
  its('endpoint') { should cmp 'rn:aws:lambda:us-east-1:account-id:function:myfunction' }
end
Inspect the owners ID
describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
  its('owner') { should cmp '12345678' }
end
Inspect the endpoint
describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
  its('protocol') { should cmp 'sqs' }
end

Matchers

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

  it { should exist }

  it { should_not exist }

be_confirmation_authenticated

Provides whether or not the subscription confirmation request was authenticated.

describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6')
  it { should be_confirmation_authenticated }
end

have_raw_message_delivery

Provides whether or not the original message is passed as is, not formatted as a json or yaml.

describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6')
  it { should have_raw_message_delivery }
end

AWS Permissions

Your Principal will need the sns:GetSubscriptionAttributes action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon SNS.