aws_ebs_volume resource
Use the aws_ebs_volume InSpec audit resource to test properties of a single AWS EBS volume.
Syntax
Ensure an EBS exists
describe aws_ebs_volume('vol-01a2349e94458a507') do
it { should exist }
end
You may also use hash syntax to pass the EBS volume name
describe aws_ebs_volume(name: 'data-vol') do
it { should exist }
end
Parameters
This resource accepts a single parameter, either the EBS Volume name or id. At least one must be provided.
volume_id (required if name not provided)
The EBS Volume ID which uniquely identifies the volume.
This can be passed as either a string or an volume_id: 'value' key-value entry in a hash.
name (required if volume_id not provided)
The EBS Volume Name which uniquely identifies the volume.
This must be passed as a name: 'value' key-value entry in a hash.
See also the AWS documentation on EBS.
Properties
| Property | Description |
|---|---|
| availability_zone | The Availability Zone for the volume. |
| encrypted | Indicates whether the volume will be encrypted. |
| iops | The number of I/O operations per second (IOPS) that the volume supports. |
| kms_key_id | The full ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the volume. |
| size | The size of the volume, in GiBs. |
| snapshot_id | The snapshot from which the volume was created, if applicable. |
| status | The volume state. |
| volume_type | The volume type. |
Examples
Test that an EBS Volume does not exist
describe aws_ebs_volume(name: 'data_vol') do
it { should_not exist }
end
Test that an EBS Volume is encrypted
describe aws_ebs_volume(name: 'secure_data_vol') do
it { should be_encrypted }
end
Test that an EBS Volume the correct size
describe aws_ebs_volume(name: 'data_vol') do
its('size') { should cmp 32 }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not to test the entity should not exist.
describe aws_ebs_volume(name: 'data_vol') do
it { should exist }
end
describe aws_ebs_volume(name: 'data_vol') do
it { should_not exist }
end
be_encrypted
The be_encrypted matcher tests if the described EBS Volume is encrypted.
it { should be_encrypted }
AWS Permissions
Your Principal will need the ec2:DescribeVolumes, and iam:GetInstanceProfile actions set to allow.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.