aws_shield_subscription Resource
Use the aws_shield_subscription
InSpec audit resource to test properties of an AWS Shield Advanced subscription.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
An aws_shield_subscription
resource block returns a Shield Advanced subscription.
describe aws_shield_subscription do
it { should exist }
end
Parameters
This resource does not require any parameters.
Properties
auto_renew
- If
ENABLED
, the subscription will be automatically renewed at the end of the existing subscription period. Valid values:ENABLED
orDISABLED
. end_time
- The date and time your subscription will end.
limits
- Specifies how many protections of a given type you can create. This is an array containing the Type of protection and the maximum number of protections that can be created for the specified Type.
proactive_engagement_status
- Valid values:
ENABLED
,DISABLED
,PENDING
.
If ENABLED, the DDoS Response Team (DRT) will use email and phone to notify contacts about escalations to the DRT and to initiate proactive customer support.
IfPENDING
, you have requested proactive engagement and the request is pending. The status changes toENABLED
when your request is fully processed.
IfDISABLED
, the DRT will not proactively notify contacts about escalations or to initiate proactive customer support. start_time
- The start time of the subscription, in Unix time in seconds.
time_commitment_in_seconds
- The length, in seconds, of the AWS Shield Advanced subscription for the account.
For a comprehensive list of properties available, see the API reference documentation
Examples
Check the automatic renewal status of a Shield Subscription.
describe aws_shield_subscription do
its('auto_renew') { should eq 'ENABLED' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
AWS Permissions
Your Principal will need the Shield:Client:DescribeSubscriptionResponse
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon Shield.