We are delighted to announce the availability of InSpec 2.0, the newest version of Chef’s open-source project for compliance automation. InSpec helps you express security and compliance requirements as code and incorporate it directly into the delivery process, eliminating ambiguity and manual processes to help you ship faster while remaining secure.
InSpec 2.0’s newest feature is the ability to test cloud resources for compliance, not just machines, by connecting directly to cloud provider APIs. Today we are launching with support for Amazon Web Services (AWS) and Microsoft Azure, with more to come. For example, here is how you can use InSpec to check for insecure AWS S3 buckets, which is a common security problem that has been in the news recently:
describe aws_s3_bucket(bucket_name: 'my_secret_files') do it { should exist } it { should_not be_public } end
We can also write a similar rule for an Azure storage group containing publicly-accessible blobs to make sure it follows best practices:
describe azure_generic_resource(group_name: 'my_secret_storage', type: 'Microsoft.Storage/storageAccounts') do its('properties.encryption.keySource') { should cmp 'Microsoft.Storage' } its('properties.encryption.services.blob.enabled') { should be true } its('properties.supportsHttpsTrafficOnly') { should be true } end
To get started with the new compliance features in InSpec 2.0, please see this brief tutorial that shows you how to check several aspects of an Amazon virtual machine instance. You can also look at InSpec’s documentation which illustrates all the cloud resources available for testing. Shortly, we will have additional tracks on Learn Chef Rally with extended tutorials for cloud resources on both AWS and Microsoft Azure.
InSpec 2.0 also includes over 30 new resources to help you test common system and application configurations for conformance. You can now natively write InSpec rules for checks as diverse as SQL database configurations, webserver (Apache/IIS/NGINX) configurations, Docker images, and much more.
We’d like to thank all of our open-source InSpec community members for helping to make this release amazing, particularly our development partners at D2L and MITRE, as well as our InSpec engineering team here at Chef. Thank you for using InSpec and we hope you enjoy the new release.