Blog-S_Cloud-Compliance_100x385

Reducing Multiple Network Calls with Chef InSpec Cloud Resource Packs

InSpec has two types of resources `plural` and `singular`. When we use a plural resource, we get a collection of a resource type and its details by doing a REST call to the cloud provider. Now, when the GLOBAL: InSpec singular resource is acted on one of the resources from the plural resource, inspec does another REST call to the cloud provider to obtain the details of the which? resource. The drawback of singular resource acting on plural? approach is that, if the Quota constraints are set in the cloud provider, then inspec reaches the maximum limit and is unable to query further resources. To resolve this issue/drawback, we found that there are certain resources in which the inspec plural resource already have all the individual details of the resources and hence we have enabled a way to skip rest API calls for singular resource by passing a cached resource value to the singular resource from the plural response.  

Ensuring Every RDS Snapshot has Encryption Enabled

Here, we use inspec `aws_rds_snapshots` resource to collect all resource entries, and we loop in? each entry by passing them over to `aws_rds_snapshot` resourcevia a named argument `resource_data` that binds the attributes to the resource itself and skips REST call to the cloud provider.  

aws_rds_snapshots.entries.each do |snapshot_entry|
 describe aws_rds_snapshot(resource_data: snapshot_entry) do
  it { should exist }
  it { should have_encrypted_snapshot }
 end
end

Looping Multiple Network Security Groups and Use the Cached Data to Verify That Each Group Does not Allow Inbound Traffic   

azure_network_security_groups.entries.each do
|azure_network_security_group_data|
  describe azure_network_security_group(resource_data:
azure_network_security_group_data) do
    it { should_not allow(destination_ip_range: '10.0.0.0/24', direction: 'inbound') }
    it { should_not allow_in(ip_range: '10.0.0.0/24') } 
  end
end

Following are the list of resources that currently support this feature.
AWS:
aws_security_group
aws_rds_snapshot
aws_rds_instance
aws_eks_cluster

AZURE:
azure_network_security_group
azure_storage_account

For more information or help in using Chef InSpec, kindly reach out to your Customer Success Manager or to the Chef Community on Chef’s Discourse channel: https://discourse.chef.io/ 

Tags:

Sathish

Sathish is a Principal Engineer, working on the compliance Inspec team. Sathish started out as a full-stack engineer with Amazon and there on was very keen in building the developer tools. He has a very good experience with AWS and its services. He also has working experience in Kubernetes and its internals. Currently, he is working on optimizing inspec resources and providing rich features to the cloud resource packs.