Loading Posts...

Chef Inspec Tests For AWS Resources

I recently implemented couple of GitLab pipelines and I wanted to implement Chef Inspec tests for my AWS resources created in the previous steps. I have used the Inspec/inspec-aws repository to implement this and thought to writeup for my followers.

First, I installed the Inspec on the operating system. Again, I used this in one of the pipelines and I used Ubuntu as the base image, so I installed this on Ubuntu. Below command easily installed the Inspec libraries on the OS.

curl https://omnitruck.chef.io/install.sh | bash -s -- -P inspec

To find out the installation instructions follow this Chef documentation.

Read More:

After successful installation if Chef InSpec library, I initialized an Inspec profile as “aws-resources” with the below command. It gave me the code generation output as below.

inspec init profile aws-resources
Inspec Tests For AWS initialization

If it is the first time you run the Inspec commands, it will prompt you to accept the license. Just accept it to create the profile. In order to automate the license acceptance, I set the “CHEF_LICENSE” environment variable to “accept-no-persist” in my pipeline. Otherwise it will expect the user input and lead to a broken pipeline.

Inspec profile will create a folder with the name provided and a basic control and yaml file inside that.

Inspec Tests For AWS folders and files

I have modified the “inspec.yml” file as below, here I wanted to show you to accept the input which can be benefitted in many scenarios. My Inspec profile accept the “DEV_BUCKET” variable as an input and added the “inspec-aws” repo as the dependency and platform as “aws”.

Here is my “inspec.yml” file

name: aws-resources
title: InSpec Profile
maintainer: Aruna Lakmal
copyright: TechCrumble
copyright_email: aruna.lakmal@tc.io
license: Apache-2.0
summary: An InSpec Compliance Profile
version: 0.1.0
depends:
  - name: inspec-aws
    url: https://github.com/inspec/inspec-aws/archive/v1.21.0.tar.gz
supports:
  platform: aws
attributes:
- name: bucketname
  description: "S3 bucket name"
  required: true
  value: $DEV_BUCKET
  type: string

Also, I have added couple of controls to check the AWS resources as below.

bucketname = attribute('bucketname')

control "AWS S3" do
  impact 0.7
  title "Check AWS Backend S3 Buckets"

  describe aws_s3_bucket(bucket_name: bucketname) do
    it { should exist }
    it { should_not be_public }
  end
end

control "AWS EC2" do
  impact 0.9
  title "Check AWS EC2 Node Count"

  describe aws_ec2_instances do
    its('instance_ids.count') { should cmp 4 }
  end
end

control "AWS EC2 AMI" do
  impact 0.9
  title "Check AWS EC2 Instance AMI"
  aws_ec2_instances.instance_ids.each do |instance_id|
    describe aws_ec2_instance(instance_id) do
      it              { should_not have_roles }
      its('key_name') { should cmp 'ironman' }
      its('image_id') { should eq 'ami-0a887e401f7654935' }
    end 
  end
end

control "AWS Security Group" do
  impact 0.9
  title "Check Security Group Availability"

  describe aws_security_group(group_name: 'tc_kubeadm_sg') do
    it { should exist }
  end
  
end

control "SSH Access" do
  impact 0.8
  title "Check Security Group Access for SSH"

  describe aws_security_group(group_name: 'tc_kubeadm_sg') do
    it { should allow_in(port: 22, ipv4_range: '0.0.0.0/0') }
  end  
end

The above Inspec controls will perform below tests:

  • Check whether the given S3 bucket (which provided as an input) exists and also it should not be a public one
  • Check the EC2 node count
  • Check the given AMI, key pair and roles of the EC2 instances
  • Check the existence of the the security group
  • Check the SSH access rule of the Security group

Before you run the Inspec tests, AWS credentials should be provided as the environment variables or ~/.aws/credentials file should be updated properly, also make sure to update the ~/.aws/config file with the relevant region.

To run the Inspec tests locally, use the below command with the bucket name

inspec exec aws-resources -t aws:// --input bucketname="s3_bucket_name"

If you separately created a GitHub repository for the Inspec profile, you can directly run the Inspec checks as below

inspec exec https://github.com/ArunaLakmal/inspec-profile-aws-tc-k8s.git -t aws:// --input bucketname="s3_bucket_name"

Your final results will be output as below after the execution of the tests.

Inspec Tests For AWS test output

I hope this will be useful for anyone who is looking for similar kind of implementation with Chef Inspec tests for AWS resources.

Click to rate this post!
[Total: 6 Average: 5]

Aruna Fernando

"Sharing knowledge doesn't put your job at risk - iron sharpen iron" I heard this and it's true.

Get Updates Directly To Your Inbox!

   

Leave a Comment

Loading Posts...