Skip to main content

aws_ebs_volume resource

[edit on GitHub]

Use the aws_ebs_volume InSpec audit resource to test properties of a single AWS EBS volume.

Syntax

Ensure an EBS exists

describe aws_ebs_volume('vol-01a2349e94458a507') do
  it { should exist }
end

You may also use hash syntax to pass the EBS volume name

describe aws_ebs_volume(name: 'data-vol') do
  it { should exist }
end

Parameters

This resource accepts a single parameter, either the EBS Volume name or id. At least one must be provided.

volume_id (required if name not provided)

The EBS Volume ID which uniquely identifies the volume. This can be passed as either a string or an volume_id: 'value' key-value entry in a hash.

name (required if volume_id not provided)

The EBS Volume Name which uniquely identifies the volume. This must be passed as a name: 'value' key-value entry in a hash.

See also the AWS documentation on EBS.

Properties

PropertyDescription
availability_zoneThe Availability Zone for the volume.
encryptedIndicates whether the volume will be encrypted.
iopsThe number of I/O operations per second (IOPS) that the volume supports.
kms_key_idThe full ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the volume.
sizeThe size of the volume, in GiBs.
snapshot_idThe snapshot from which the volume was created, if applicable.
statusThe volume state.
volume_typeThe volume type.

Examples

Test that an EBS Volume does not exist

describe aws_ebs_volume(name: 'data_vol') do
  it { should_not exist }
end

Test that an EBS Volume is encrypted

describe aws_ebs_volume(name: 'secure_data_vol') do
  it { should be_encrypted }
end

Test that an EBS Volume the correct size

describe aws_ebs_volume(name: 'data_vol') do
  its('size') { should cmp 32 }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_ebs_volume(name: 'data_vol') do
  it { should exist }
end

describe aws_ebs_volume(name: 'data_vol') do
  it { should_not exist }
end

be_encrypted

The be_encrypted matcher tests if the described EBS Volume is encrypted.

it { should be_encrypted }

AWS Permissions

Your Principal will need the ec2:DescribeVolumes, and iam:GetInstanceProfile actions set to allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.