Skip to main content

aws_rds_db_security_group resource

Use the aws_rds_db_security_group InSpec audit resource to test properties of a single Amazon Relational Database Service (RDS) database security group.

For additional information, including details on parameters and properties, see the AWS documentation on the AWS::RDS::DBSecurityGroup resource.

Syntax

Ensure that the security group exists.

describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do
  it { should exist }
end

Parameters

db_security_group_name (required)

The identifier for the security group.

Properties

owner_id
Provides the Amazon Web Services ID of the owner of a specific DB security group.

Field: owner_id

db_security_group_name
Specifies the name of the DB security group.

Field: db_security_group_name

db_security_group_description
Provides the description of the DB security group.

Field: db_security_group_description

vpc_id
Provides the VpcId of the DB security group.

Field: vpc_id

ec2_security_groups
Contains a list of EC2SecurityGroup elements.

Field: ec2_security_groups

ec2_security_group_statuses
Provides the status of the EC2 security group. Status can be “authorizing”, “authorized”, “revoking”, and “revoked”.

Field: ec2_security_group (status)

ec2_security_group_names
Specifies the name of the EC2 security group.

Field: ec2_security_group_name

ec2_security_group_ids
pecifies the id of the EC2 security group.

Field: ec2_security_group_id

ec2_security_group_owner_ids
pecifies the Amazon Web Services ID of the owner of the EC2 security group specified in the EC2SecurityGroupName field.

Field: ec2_security_group_owner_id

ip_ranges_statuses
Specifies the status of the IP range. Status can be “authorizing”, “authorized”, “revoking”, and “revoked”.

Field: ip_ranges (status)

ip_ranges_cidrips
Specifies the IP range.

Field: cidrip

db_security_group_arn
The Amazon Resource Name (ARN) for the DB security group.

Field: db_security_group_arn

Examples

Ensure a security group name is available:

describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do
  its('db_security_group_name') { should eq 'DB_SECURITY_GROUP_NAME' }
end

Ensure a security group description is available:

describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do
  its('db_security_group_description') { should eq 'DB_SECURITY_GROUP_DESCRIPTION' }
end

Ensure a status is authorized:

describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do
  its('ec2_security_group_statuses') { should include 'authorized' }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

The controls will pass if the describe method returns at least one result.

exist

Use should to test that the entity exists.

describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do
  it { should exist }
end

Use should_not to test the entity does not exist.

describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do
  it { should_not exist }
end

be_available

Use should to check if the entity is available.

describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do
  it { should be_available }
end

AWS Permissions

Your AWS principal will need the RDS:Client:DescribeDBSecurityGroup action with Effect set to Allow.

Thank you for your feedback!

×