As of Chef InSpec 2.0, we have expanded our platform support beyond individual machines and now include support for select AWS and Azure resources.
Using InSpec, you can use several Chef InSpec resources to audit properties of your cloud infrastructure - for example, an Amazon Web Services S3 bucket.
Chef InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities.
You may provide the credentials to Chef InSpec by setting the following environment variables: AWS_REGION, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. You may also use AWS_PROFILE, or if you are using MFA, AWS_SESSION_TOKEN. See the AWS Command Line Interface Docs for details.
Once you have your environment variables set, you can verify your credentials by running:
$ inspec detect -t aws://
== Platform Details
Name: aws
Families: cloud, api
Release: aws-sdk-v2.10.125
Look for a file in your home directory named ~/.aws/credentials. If it does not exist, create it. Choose a name for your profile; here, we’re using the name ‘auditing’. Add your credentials as a new profile, in INI format:
[auditing]
aws_access_key_id = AKIA....
aws_secret_access_key = 1234....abcd
You may now run Chef InSpec using the --target / -t option, using the format -t aws://region/profile. For example, to connect to the Ohio region using a profile named ‘auditing’, use -t aws://us-east-2/auditing.
To verify your credentials, run
$ inspec detect -t aws://
== Platform Details
Name: aws
Families: cloud, api
Release: aws-sdk-v2.10.125
To use Chef InSpec Azure resources, you will need to create a Service Principal Name (SPN) for auditing an Azure subscription.
This can be done on the command line or from the Azure Portal:
The information from the SPN can be specified either in the file ~/.azure/credentials, as environment variables, or by using Chef InSpec target URIs.
By default, Chef InSpec is configured to look at ~/.azure/credentials, and it should contain:
[<SUBSCRIPTION_ID>]
client_id = "<CLIENT_ID>"
client_secret = "<CLIENT_SECRET>"
tenant_id = "<TENANT_ID>"
Note
In the Azure web portal, these values are labeled differently:
With the credentials are in place, you may now execute InSpec:
inspec exec my-inspec-profile -t azure://
You may also set the Azure credentials via environment variables:
AZURE_SUBSCRIPTION_IDAZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_TENANT_IDFor example:
AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \
AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \
AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \
AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure://
If you have created a ~/.azure/credentials file as above, you may also use the Chef InSpec command line --target / -t option to select a subscription ID. For example:
inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3
To use Chef InSpec GCP resources, you will need to install and configure the Google Cloud SDK. Instructions for this pre-requisite can be found in the Google CLoud SDK documentation. Be sure that your InSpec installation is the latest version. The minimal required InSpec version is 3.0.25.
inspec-gcp.With a version of InSpec above 4.0.0, it is possible to create a profile with the following command:
$ inspec init profile --platform gcp my-profile
Create new profile at /Users/me/my-profile
* Creating directory libraries
* Creating file README.md
* Creating directory controls
* Creating file controls/example.rb
* Creating file inspec.yml
* Creating file inputs.yml
* Creating file libraries/.gitkeep
Assuming the inputs.yml file contains your GCP project ID, this sample profile can then be executed using the following command:
inspec exec my-profile --input-file=my-profile/inputs.yml -t gcp://
While InSpec can use user accounts for authentication, Google Cloud documentation recommends using service accounts. Following GCP best practices, first create a service account with the scopes appropriate for your needs. See these instructions on creating a service account.
Then, download the credential JSON file, e.g. project-credentials.json, to your workspace and run the following command to activate your service account:
gcloud auth activate-service-account --key-file project-credentials.json
You may also set the GCP credentials json file via the GOOGLE_APPLICATION_CREDENTIALS environment variable.
export GOOGLE_APPLICATION_CREDENTIALS='/Users/me/.config/gcloud/myproject-1-feb7993e8660.json'
Once you have your environment variables set, you can verify your credentials by running:
$ inspec detect -t gcp://
== Platform Details
Name: gcp
Families: cloud, api
Release: google-cloud-v
© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/platforms/