AWS security group

Chef InSpec
1

Hello guys,

I’m new to InSpec and while I read the documentation I’d like to know if someone can help to understand a few things. I’m focused on controls in AWS, more precisely controls for security group. I have been working in a pretty dynamic AWS environment, for me it wouldn’t work to have a list of static hosts, IPs or security groups ID but rather I’m trying to understand how to use a sort of wildcards or “variables”. For instance I’d like to put in place a control in which a target (source or destination) should be something like: 192.168.x.y/32:3306. I don’t care about last two octets as long as the address starts with 192.168 and the port hit is 3306. Other thing, I’d like to know if I can use regular expressions to describe my target (IP) letting me stay flexible in terms of audit. Examples are welcomed!!

Thanks!

B.

2

Welcome! Plural resources (which you can find more in the glossary) supports providing ruby block. In this scenario, plural resources can be used to target by regex or any ruby code in block and the singular resources can be used to do an in-depth test. One example of that can be found here:

1 Like
3

First, yes, you can match on regexes in Chef InSpec. You can say things like:
its("string") { should match /regex/ }

For an IP address in an aws_security_group which you want to match in a network range, however, you have much more powerful tools. Change the CIDR range from 32 to 16, and say:

describe aws_security_group("sg-12345678") do
  it { should allow_in_only(ipv4_ranges: ["192.168.0.0/16"], port: 3306) }
end

See https://www.inspec.io/docs/reference/resources/aws_security_group/#allow_in for further details.

1 Like
4

Hello,

Many thanks for your reply.
Unfortunately it doesn't work. First I guess that ipv4_ranges should be replaced by ipv4_range but even change this and using either allow_in or allow_in_only I get the same result

My code:

  describe aws_security_group("sg-1111aaaabbbbcccc") do
    it { should allow_in(ipv4_range: ["172.16.0.0/16"], port: 5050) }
  end

  describe aws_security_group("sg-1111aaaabbbbcccc") do
    it { should allow_in_only(ipv4_range: ["172.16.0.0/16"], port: 5050) }
  end

Results:

×  SecurityGroupRulesBasicGeneric: Basic check of rule withn a SG
     ×  EC2 Security Group ID: sg-1111aaaabbbbcccc Name: MySecurityGroup VPC ID: vpc-01234567890 is expected to allow in {:ipv4_range=>["172.16.0.0/16"], :port=>5050}
     expected `EC2 Security Group ID: sg-1111aaaabbbbcccc Name: MySecurityGroup VPC ID: vpc-01234567890 .allow_in?({:ipv4_range=>["172.16.0.0/16"], :port=>5050})` to return true, got false
	 
  ×  SecurityGroupRulesBasicGeneric: Basic check of rule withn a SG
     ×  EC2 Security Group ID: sg-1111aaaabbbbcccc Name: MySecurityGroup VPC ID: vpc-01234567890  is expected to allow in only {:ipv4_range=>["172.16.0.0/16"], :port=>5050}
     expected `EC2 Security Group ID: sg-1111aaaabbbbcccc Name: MySecurityGroup VPC ID: vpc-01234567890 .allow_in_only?({:ipv4_range=>["172.16.0.0/16"], :port=>5050})` to return true, got false

Regards
B.