InSpec 2 introduces the ability to test cloud resources for compliance in addition to the system and application-level resources that previously appeared in InSpec 1. In this tutorial, we’ll use InSpec to write a very simple control to check attributes on a virtual machine in Amazon Web Services (AWS).
For the purposes of this tutorial, we’re going to assume you already have an AWS account and that you’re familiar with how to create virtual machines using the AWS console. We also assume you’ve used the AWS command-line tools before and have Identity and Access Manager (IAM) credentials set up. If neither of these is the case, please consult the relevant AWS tutorial before continuing further.
Let’s go to the AWS console and launch a new EC2 instance that we can use for our test. We’ll create one using the Amazon Linux AMI:
On the next screen, let’s choose to make the instance size t2.nano in order to keep our costs low for this exercise.
Don’t click Review and Launch yet. We’re going to modify a few parameters before we launch the instance, so click Next: Configure Instance Details first.
On the next screen, let’s make sure this instance doesn’t have a public IP address, so set Assign Public IP to Disable:
Click Next: Add Storage but skip the storage configuration screen by clicking Next: Add Tags. Let’s add a Name tag by following the link to do so and name it “InSpec test server”.
Great. We have configured enough of our instance to click Review and Launch.
Once you’ve launched your instance and it’s fully provisioned, it’s time to use InSpec to write a cloud compliance rule against it. In this tutorial, we’re going to use the InSpec shell to make sure we have our syntax right. We could then take our code and put it in a full InSpec profile later if we wanted to.
If you don’t already have InSpec installed, please visit the downloads page to get it. You’ll want to make sure you are using InSpec 2.0 or later.
Now let’s start the InSpec shell using the AWS driver:
$ inspec shell -t aws://
If you started your EC2 virtual machine in a region that’s different than the default one specified in your AWS CLI configuration file (~/.aws/config), you’ll want to specify the right region, for example:
$ inspec shell -t aws://us-east-2
The shell will start up and give you a prompt like this:
Welcome to the interactive InSpec Shell To find out how to use it, type: help You are currently running on: OS platform: aws OS family: cloud OS release: aws-sdk-v2.10.133 inspec>
Let’s write a simple control to make sure the instance is running. Enter this directly into the shell:
describe aws_ec2_instance(name: 'InSpec test server') do its('state') { should cmp 'running' } end
After you type the final end, InSpec will evaluate the test:
Profile: inspec-shell Version: (not specified) EC2 Instance InSpec test server ✔ state should cmp == "running" Test Summary: 1 successful, 0 failures, 0 skipped
Great! If you got an error, check that you named the server in the EC2 console the same as what you put in the test.
We can now augment our test with some of the other attributes we configured the instance with. For example, we can make sure the instance does not have a public IP address:
describe aws_ec2_instance(name: 'InSpec test server') do its('public_ip_address') { should be_nil } end
We could also check to see that the instance is using an approved Amazon Machine Image (AMI):
describe aws_ec2_instance(name: 'InSpec test server') do its('image_id') { should cmp 'ami-f63b1193' } end
(The actual image ID for the Amazon Linux image will vary by region so you may get a test failure.)
For more information on the types of parameters that can be tested, please consult the InSpec documentation.
Before we leave the shell and finish this tutorial, let’s have a look at all the other cloud resources you can use. Type
help resources
into the InSpec shell and look at all resources starting with aws
for AWS resources, and azure
for Microsoft Azure resources. You can type help
followed by the resource name into the shell for a brief description of how to use it, or consult the InSpec documentation for a longer description.
Finally, exit the shell by typing quit
and pressing Enter. (Don’t forget to terminate your AWS EC2 instance once you’re done experimenting!)
We hope this brief tutorial has helped illustrate the cloud compliance resources available in InSpec 2 and how to get started using them. We can’t wait to see the profiles you create using this new feature. Thanks again for using InSpec!