Updates needed to fully support the CIS AWS Foundations Benchmark v2.0.0

.gitignore

@@ -5,6 +5,7 @@
 Gemfile.lock
 inspec.lock
 .kitchen
+*.code-workspace
 *.plan
 *.tfstate*
 local

Gemfile

@@ -1,6 +1,6 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
-gem 'bundle'
+gem "bundle"
 # Note that 'aws-sdk' pulls in a large number of libraries, choose explicitly those to include instead
 # gem 'aws-sdk', '~> 3'
 #
@@ -11,9 +11,10 @@ gem 'bundle'
 # In the mean time the gem can be added here for local development
 
 # Use Latest Inspec
-gem 'inspec-bin'
+gem "inspec-bin"
+gem "train-aws", git: 'https://github.com/mitre/train-aws.git', branch: 'al/dep-updates'
 
-gem 'rubocop', '~> 1.25.1', require: false
+gem "rubocop", "~> 1.25.1", require: false
 
 group :test do
   gem "chefstyle", "~> 2.2.2"
@@ -22,7 +23,7 @@ group :test do
 end
 
 group :development do
-  gem 'rake'
-  gem 'minitest'
-  gem 'pry-byebug'
+  gem "rake"
+  gem "minitest"
+  gem "pry-byebug"
 end

Makefile

@@ -25,4 +25,5 @@ shell_tester:
 	docker-compose run --rm --entrypoint bash tester
 
 logout:
-		docker-compose run --rm aws rm -rf /app/.aws
+	docker-compose run --rm aws rm -rf /app/.aws
+

docs-chef-io/content/inspec/resources/aws_alternate_contact.md

@@ -0,0 +1,113 @@
++++
+title = "aws_alternate_contact Resource"
+platform = "aws"
+draft = false
+gh_repo = "inspec-aws"
+
+[menu.inspec]
+title = "aws_alternate_contact"
+identifier = "inspec/resources/aws/aws_alternate_contact Resource"
+parent = "inspec/resources/aws"
++++
+
+Use the `aws_alternate_contact` InSpec audit resource to test properties of the alternate contact information associated with your account.
+
+For additional information, including details on parameters and properties, see the [AWS documentation on the alternate contact information associated with your account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-alternate.html). Technical details on the data structure can be found for the [api documentation.](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Account/Client.html#get_contact_information-instance_method)
+
+## Installation
+
+{{% inspec_aws_install %}}
+
+## Syntax
+
+The `aws_alternate_contact` resource allows the testing of the alternate contact information associated with your account.
+
+```ruby
+describe aws_alternate_contact do
+  it { should exist }
+end
+```
+
+## Parameters
+
+`type` _(required)_
+
+: This resource accepts a single parameter, the type of the alternate contact type.
+  This can be passed either as a string or as a `type: 'value'` key-value entry in a hash. Valid types are 'billing', 'operations' and 'security'
+
+## Properties
+
+
+`api_response` (Struct) 
+: Returns the api response from our call to the aws api as a struct.
+
+`raw_data` (Hash)
+: Returns a transformed Hash of Strings of the data associated with the alternate contact.
+
+`aws_account_id` (String)
+: 12-digit account ID number of the Amazon Web Services account associated with the alternate contact.
+
+`name` (String)
+: Specifies the full name of the alternate contact.
+
+`title` (String)
+: Specifies the full name of the alternate contact.
+
+`email_address` (String)
+: Specifies the full name of the alternate contact.
+
+`phone_number` (String)
+: Specifies the phone number associated with the alternate contact.
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+**Test that a alternate contact exists for the aws account.**
+
+```ruby
+describe aws_alternate_contact do
+  it { should exist }
+end
+```
+
+**Test that the alternate contact is set and the values for its full name and first address line are set as expected.**
+
+```ruby
+describe aws_alternate_contact(type: 'billing') do
+  it { should be_configured }
+  its('name') { should cmp 'John Smith' }
+  its('title') { should cmp 'Money Guy' }
+end
+```
+```ruby
+describe aws_alternate_contact('security') do
+  it { should exist }
+  its('name') { should cmp 'Jane Smith' }
+  its('title') { should cmp 'Security Gal' }
+end
+```
+
+## Matchers
+
+{{% inspec_matchers_link %}}
+
+### exist (alias of configured)
+
+Use `should` to test if the aws account has a alternate contact configured.
+
+```ruby
+it { should exist }
+```
+
+### configured
+
+The `configured` matcher tests if the described alternate contact is set and configured for the aws account by returning `true` if the api response is not null or data exists in the raw data.
+
+```ruby
+it { should be_configured }
+```
+
+## AWS Permissions
+
+{{% aws_permissions_principal action="Aws::Account::Types::GetAlternateContactResponse" %}}

docs-chef-io/content/inspec/resources/aws_billing_contact.md

@@ -0,0 +1,103 @@
++++
+title = "aws_billing_contact Resource"
+platform = "aws"
+draft = false
+gh_repo = "inspec-aws"
+
+[menu.inspec]
+title = "aws_billing_contact"
+identifier = "inspec/resources/aws/aws_billing_contact Resource"
+parent = "inspec/resources/aws"
++++
+
+Use the `aws_billing_contact` InSpec audit resource to test properties of the billing contact information associated with your account.
+
+For additional information, including details on parameters and properties, see the [AWS documentation on the billing contact information associated with your account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-billing.html). Technical details on the data structure can be found for the [api documentation.](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Account/Client.html#get_contact_information-instance_method)
+
+## Installation
+
+{{% inspec_aws_install %}}
+
+## Syntax
+
+The `aws_billing_contact` resource allows the testing of the billing contact information associated with your account.
+
+```ruby
+describe aws_billing_contact do
+  it { should exist }
+end
+```
+
+## Parameters
+
+This resources does not take any parameters at this time.
+
+## Properties
+
+
+`api_response` (Struct) 
+: Returns the api response from our call to the aws api as a struct.
+
+`raw_data` (Hash)
+: Returns a transformed Hash of Strings of the data associated with the billing contact.
+
+`aws_account_id` (String)
+: 12-digit account ID number of the Amazon Web Services account associated with the billing contact.
+
+`name` (String)
+: Specifies the full name of the billing contact.
+
+`title` (String)
+: Specifies the full name of the billing contact.
+
+`email_address` (String)
+: Specifies the full name of the billing contact.
+
+`phone_number` (String)
+: Specifies the phone number associated with the billing contact.
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+**Test that a billing contact exists for the aws account.**
+
+```ruby
+describe aws_billing_contact do
+  it { should exist }
+end
+```
+
+**Test that the billing contact is set and the values for its full name and first address line are set as expected.**
+
+```ruby
+describe aws_billing_contact do
+  it { should be_configured }
+  its('name') { should cmp 'John Smith' }
+  its('title') { should cmp 'Money Guy' }
+end
+```
+
+## Matchers
+
+{{% inspec_matchers_link %}}
+
+### exist (alias of configured)
+
+Use `should` to test if the aws account has a billing contact configured.
+
+```ruby
+it { should exist }
+```
+
+### configured
+
+The `configured` matcher tests if the described billing contact is set and configured for the aws account by returning `true` if the api response is not null or data exists in the raw data.
+
+```ruby
+it { should be_configured }
+```
+
+## AWS Permissions
+
+{{% aws_permissions_principal action="Aws::Account::Types::GetAlternateContactResponse" %}}

docs-chef-io/content/inspec/resources/aws_cloudtrail_trail.md

@@ -130,6 +130,15 @@ describe aws_cloudtrail_trail('TRAIL_NAME') do
 end
 ```
 
+**Test if a trail is monitoring an AWS object type:**
+
+```ruby
+describe aws_cloudtrail_trail('TRAIL_NAME') do
+  it { should be_monitoring_read("AWS::S3::Object") }
+  it { should be_monitoring_write("AWS::S3::Object") }
+end
+```
+
 ## Matchers
 
 {{% inspec_matchers_link %}}
@@ -192,6 +201,26 @@ describe aws_cloudtrail_trail('TRAIL_NAME') do
 end
 ```
 
+### be_monitoring_read
+
+The test will pass if the identified trail is monitoring read events on the given AWS object type (if the trail is only monitoring one ARN of that object type, the test will fail).
+
+```ruby
+describe aws_cloudtrail_trail('TRAIL_NAME') do
+  it { should be_monitoring_read("AWS::S3::Object") }
+end
+```
+
+### be_monitoring_write
+
+The test will pass if the identified trail is monitoring write events on the given AWS object type (if the trail is only monitoring one ARN of that object type, the test will fail).
+
+```ruby
+describe aws_cloudtrail_trail('TRAIL_NAME') do
+  it { should be_monitoring_write("AWS::S3::Object") }
+end
+```
+
 ## AWS Permissions
 
 {{% aws_permissions_principal action="CloudTrail:Client:DescribeTrailsResponse" %}}

docs-chef-io/content/inspec/resources/aws_ec2_instance.md

@@ -80,6 +80,9 @@ One of either the EC2 instance's ID or name must be be provided.
 
 There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Instance.html)
 
+`instance`
+: A hash containing all the data collected about the EC2.
+
 ## Examples
 
 **Test that an EC2 instance is running.**