InSpec launches support for cloud platform assessments

InSpec Cloud Modules

We are proud to announce the release of three new open-source incubation projects to the InSpec community: inspec-aws, inspec-azure, and inspec-vmware. With these projects, InSpec extends its reach into these widely used platforms. You can now use InSpec for cloud native security and integration testing.

When we first released InSpec, we focused on infrastructure nodes (compute) and their operating systems. The goal was to support all platforms, from legacy systems to modern runtimes: Linux, Windows, OSX, AIX, HPUX, and more. The extensible InSpec runtime allows us to add additional support for these platforms as they add more capabilities and as they emerge.

However, the goal for InSpec has always been to go beyond testing host operating systems. To that end, InSpec is being redesigned so that you can test your entire fleet-wide application infrastructure. While host-based testing on platforms such as AWS, Azure, and VMware was already possible, it was limited to that one aspect of the runtime.

With these releases InSpec reaches beyond operating systems to the additional components that drive them: APIs, network objects, storage components, and orchestrators. on AWS, Azure, and VMware cloud platforms. InSpec can now cover additional perspectives that are essential to de-risking your infrastructure and application automation.

These three projects provide a preview of a shift in how InSpec will support additional platforms. In the next few months, InSpec will introduce support for the different perspectives required for holistic testing by extending functionality for arbitrary platforms into the core framework. That new functionality is expected to ship with the InSpec 2.0 release scheduled for later this year.

InSpec Community

In the meantime, we invite you to use these modules to assess the state of operations and information security in your cloud infrastructure. As always, we look forward to your feedback via the InSpec community, as well as the Slack channels and GitHub Issues for each project.

These projects would not have been possible without the contributions from our fantastic community members. Thank you all so much for your coding and testing. We deeply appreciate your dedication to quality while we work through many exciting use cases! Many additional interesting extensions and use cases are still waiting to be added. We invite you to participate in this journey by joining the InSpec community.

AWS

InSpec-AWS provides common resources needed to test objects in Amazon Web Services (AWS). It connects to the AWS API and exposes multiple services that are available. For example, you can test that certain objects exist and are configured in a certain way.

control "aws-1" do
  impact 0.7
  title 'Checks the machine is running'

  describe ec2('my-ec2-machine') do
    it { should be_running }
  end
end

Azure

InSpec-Azure provides common resources needed to test objects in Microsoft Azure. It connects to the Azure API and contains methods to test different services.

control 'azure-1' do
  impact 1.0
  title 'Checks that the machine was built from the correct image'

  describe azure_virtual_machine(name: 'example-01', resource_group: 'MyResourceGroup') do
    its('sku') { should eq '16.04.0-LTS' }
    its('publisher') { should eq 'Canonical' }
    its('offer') { should eq 'UbuntuServer' }
  end
end

VMware

InSpec-VMware exposes many components of VMware vSphere/ESX and allows you to test that these components are configured as you expect. A number of interfaces are available including host, switch, and firewall configuration.

control "vmware-1" do
  impact 0.7
  title 'Checks that soft power off is diabled'
  describe vmware_vm_advancedsetting({datacenter: 'ha-datacenter', vm: 'testvm'}) do
    its('softPowerOff') { should cmp 'false' }
  end
end

Dominik Richter

Dominik is an Engineering Manager on the Core Engineering team at Chef.