Skip to main content

aws_rds_instances resource

[edit on GitHub]

Use the aws_rds_instances InSpec audit resource to test properties of a collection of AWS RDS instances.

RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server.

RDS instances are compute instances used by the RDS service.

Syntax

Ensure you have exactly 3 instances

describe aws_rds_instances do
  its('db_instance_identifiers.count') { should cmp 3 }
end

Parameters

This resource does not expect any parameters.

See also the AWS documentation on RDS.

Properties

PropertyDescription
db_instance_identifiersThe unique IDs of the RDS Instances returned.
entriesProvides access to the raw results of the query, which can be treated as an array of hashes.

Examples

Ensure a specific instance exists

describe aws_rds_instances do
  its('db_instance_identifiers') { should include 'rds-12345678' }
end

Test That All Rds Instances Are Encrypted by Id

Use the InSpec resource to request the IDs of all RDS instances, then test in-depth using aws_rds_instance to ensure all instances are encrypted and have a sensible size.

aws_rds_instances.db_instance_identifiers.each do |db_instance_identifier|
  describe aws_rds_instance(db_instance_identifier) do
    it { should be_encrypted }
  end
end

Matchers

For a full list of available matchers, please visit our Universal Matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_rds_instances do
  it { should exist }
end

describe aws_rds_instances do
  it { should_not exist }
end

Your Principal will need the ec2:DescribeInstances, and iam:GetInstanceProfile actions set to allow. You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.