Skip to content
This repository has been archived by the owner on Jan 8, 2024. It is now read-only.

Latest commit

 

History

History
87 lines (56 loc) · 3.18 KB

aws_guardduty_detector.md

File metadata and controls

87 lines (56 loc) · 3.18 KB
title platform
About the aws_guardduty_detector Resource
aws

Requirements

Train AWS version 0.1.18 or newer is required for this resource.

aws_guardduty_detector

Use the aws_guardduty_detector InSpec audit resource to test properties of a single AWS GuardDuty Detector.

Syntax

An aws_guardduty_detector resource block declares the tests for a single AWS GuardDuty Detector by detector id.

describe aws_guardduty_detector(detector_id: '12abc34d567e8fa901bc2d34e56789f0') do
  it { should exist }
end

Parameters

detector_id (required)

This resource accepts a single parameter, the GuardDuty Detector ID. This can be passed either as a string or as a detector_id: 'value' key-value entry in a hash.

See also the AWS documentation on GuardDuty Detectors.

Properties

Property Description
created_at The timestamp of when the detector was created.
data_sources An object that describes which data sources are enabled for the detector.
finding_publishing_frequency The publishing frequency of the finding.
service_role The GuardDuty service role.
status The detector status. Status should be either ENABLED or DISABLED.
tags The tags of the detector resource.
updated_at The last-updated timestamp for the detector.

There are also additional properties available. For a comprehensive list, see the API reference documentation

Examples

Check the publishing frequency of a Detector
describe aws_guardduty_detector(detector_id: '12abc34d567e8fa901bc2d34e56789f0') do
  its('finding_publishing_frequency') { should eq "SIX_HOURS" }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

be_enabled

The be_enabled matcher tests if the status of the detector is enabled.

describe aws_guardduty_detector(detector_id: 'detector-id-1234') do
  it { should be_enabled }
end

describe aws_guardduty_detector(detector_id: 'detector-id-6789') do
  it { should_not be_enabled }
end

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_guardduty_detector(detector_id: '12abc34d567e8fa901bc2d34e56789f0') do
  it { should exist }
end

describe aws_guardduty_detector(detector_id: '809abz34d567e8fa91bc2d34e56789f5') do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the guardduty:GetDetector.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon GuardDuty.