aws_vpc_endpoint_services Resource
Use the aws_vpc_endpoint_services
InSpec audit resource to test the properties of all AWS VPC Endpoint Services.
To audit a single endpoint service, use the aws_vpc_endpoint_service
(singular) resource.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
An aws_vpc_endpoint_services
resource block collects a group of VPC endpoint services’ descriptions and tests the group.
describe aws_vpc_endpoint_services
it { should exist }
end
Properties
service_names
- The Amazon Resource Names (ARN) of the services.
Field:
service_name
service_ids
- The IDs of the endpoint services.
Field:
service_id
service_types
- The types of services.
Field:
service_type
availability_zones
- The Availability Zones in which the services are available.
Field:
availability_zones
owners
- The AWS account IDs of the service owners.
Field:
owner
base_endpoint_dns_names
- The DNS names for the service.
Field:
base_endpoint_dns_names
private_dns_name
- The private DNS name for the service.
Field:
private_dns_name
vpc_endpoint_policy_supported
- Whether the service supports endpoint policies. Valid values:
true
orfalse
. Field:
vpc_endpoint_policy_supported
acceptance_required
- Whether VPC endpoint connection requests to the service must be accepted by the service owner. Valid values:
true
orfalse
. Field:
acceptance_required
manages_vpc_endpoints
- Whether the service manages its VPC endpoints. Valid values:
true
orfalse
. Field:
manages_vpc_endpoints
tags
- The tags assigned to the service.
Field:
tags
private_dns_name_verification_states
- The verification states of the VPC endpoint service.
Field:
private_dns_name_verification_states
Examples
Ensure that exactly three VPC endpoint services exist.
describe aws_vpc_endpoint_services do
its('count') { should eq 3 }
end
Filter all services in us-east-2a
availability_zones.
describe aws_vpc_endpoint_services.where{ availability_zones.include?('us-east-2a') } do
it { should exist }
end
Filter all service where acceptance is required from the service owner.
describe aws_vpc_endpoint_services.where(acceptance_required: true) do
it { should exist }
end
Filter all static if it manages its vpc endpoints.
describe aws_vpc_endpoint_services.where(manages_vpc_endpoints: true) do
it { should exist }
end
Filter all private dns name verification states.
describe aws_vpc_endpoint_services.where(private_dns_name_verification_states: 'verified') do
it { should exist }
end
Request all the service names and check if endpoint policies are supported.
aws_vpc_endpoint_services.service_names.each do |service_name|
describe aws_vpc_endpoint_service(service_name: service_name) do
it { should be_vpc_endpoint_policy_supported }
end
end
Matchers
For the complete list of available matchers, visit Universal Matchers page.
exist
The control will pass if the ‘describe’ method returns at least one result.
describe aws_vpc_endpoint_services.where( PROPERTY: VALUE) do
it { should exist }
end
Use should_not
to test an entity that should not exist.
describe aws_vpc_endpoint_services.where( PROPERTY: VALUE) do
it { should_not exist }
end
AWS Permissions
Your Principal will need the EC2:Client:DescribeVpcEndpointServicesResult
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for VPC endpoint services, and Actions, Resources, and Condition Keys for Identity And Access Management.