Skip to main content

aws_dynamodb_table Resource

Use the aws_dynamodb_table InSpec audit resource to test properties of a single DynamoDb Table.

Installation

This resource is available in the Chef InSpec AWS resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.

Syntax

Ensure an DynamoDb Table exists.

describe aws_dynamodb_table(table_name: 'table-name') do
  it { should exist }
end

Parameters

table_name (required)

The table name used by this DynamoDb Table. This must be passed as a table_name: 'value' key-value entry in a hash.

Properties

table_name
The name of the DynamoDb Table.
table_status
The status of the DynamoDb Table.
table_arn
The Amazon Resource Names of the DynamoDb Table.
creation_date
The date the DynamoDb Table was created. eg. 01/01/2019.
number_of_decreases_today
The number of provisioned throughput decreases for this table during this UTC calendar day.
write_capacity_units
The maximum number of writes consumed per second before DynamoDb returns a ThrottlingException.
read_capacity_units
The maximum number of strongly consistent reads consumed per second before DynamoDb returns a ThrottlingException.
item_count
The number of entries in the DynamoDb Table.
attributes
An array of attributes that describe the key schema for the table and indexes. This is returned as a hash. Each entry is composed of: attribute_name - The name of this key attribute. attribute_type - The datatype of the attribute : B - Boolean, N - Number, S - string.
key_schema
Specifies the attributes that make up the primary key for a table or an index. This is returned as a hash. The attributes in KeySchema must also be defined in the Attributes array. Each element in the KeySchemaElement array is composed of: attribute_name - The name of this key attribute. key_type - The role that the key attribute will assume: HASH - partition key, RANGE - sort key.
global_secondary_indexes
A list of global secondary indexes if there is any referenced on the selected table.

Examples

Ensure DynamoDb Table status is active.

describe aws_dynamodb_table(table_name: 'table-name') do
  its('table_status') { should eq 'ACTIVE' }
end

Ensure DynamoDb Table has an attribute.

describe aws_dynamodb_table(table_name: 'table-name') do
  its('attributes') { should_not be_empty }
  its('attributes') { should include({:attribute_name =>'table_field', :attribute_type =>'N'}) }
end

Ensure DynamoDb Table has a key_schema.

describe aws_dynamodb_table(table_name: 'table-name') do
  its('key_schema') { should_not be_empty }
  its('key_schema') { should include({:attribute_name =>'table_field', :key_type =>'HASH'}) }
end

Ensure DynamoDb Table has the correct global secondary indexes set.

aws_dynamodb_table(table_name: 'table-name').global_secondary_indexes.each do |global_sec_idx|
  describe global_sec_idx do
    its('index_name') { should eq 'TitleIndex' }
    its('index_status') { should eq 'ACTIVE' }
    its('key_schema') { should include({:attribute_name =>'Title', :key_type =>'HASH'}) }
    its('provisioned_throughput.write_capacity_units') { should cmp 10 }
    its('provisioned_throughput.read_capacity_units') { should cmp 10 }
    its('projection.projection_type') { should eq 'INCLUDE' }
  end
end

Ensure DynamoDb Table is encrypted.

describe aws_dynamodb_table(table_name: 'table-name') do
   it { should be_encrypted}
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

be_encrypted

The be_encrypted matcher tests if the DynamoDB Table is encrypted.

it { should be_encrypted }

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_dynamodb_table(table_name: 'table-name') do
  it { should exist }
end
describe aws_dynamodb_table(table_name: 'table-name') do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the DynamoDB:Client:DescribeTableOutput action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon Dynamodb.

Edit this page on GitHub.

Thank you for your feedback!

×









Search Results