aws_network_firewall_firewall_policy Resource
Use the aws_network_firewall_firewall_policy
InSpec audit resource to test properties of a single specific AWS Network Firewall policy.
The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource.
For additional information, including details on parameters and properties, see the AWS documentation on AWS Network Firewall Firewall.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that the firewall exists.
describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do
it { should exist }
end
Parameters
firewall_policy_name
(required)The descriptive name of the firewall.
Properties
update_token
- A token used for optimistic locking.
firewall_policy_response.firewall_policy_name
- The descriptive name of the firewall policy.
firewall_policy_response.firewall_policy_arn
- The Amazon Resource Name (ARN) of the firewall policy.
firewall_policy_response.firewall_policy_id
- The unique identifier for the firewall policy.
firewall_policy_response.description
- A description of the firewall policy.
firewall_policy_response.firewall_policy_status
- The current status of the firewall policy.
firewall_policy_response.tags
- The key:value pairs to associate with the resource.
firewall_policy.stateless_rule_group_references
- References to the stateless rule groups that are used in the policy.
firewall_policy.stateless_rule_group_references.first.resource_arn
- The Amazon Resource Name (ARN) of the stateless rule group.
firewall_policy.stateless_rule_group_references.first.priority
- An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy.
firewall_policy.stateless_default_actions
- The actions to take on a fragmented UDP packet if it doesn’t match any of the stateless rules in the policy.
firewall_policy.stateless_fragment_default_actions
- The actions to take on a fragmented UDP packet if it doesn’t match any of the stateless rules in the policy.
firewall_policy.stateless_custom_actions
- The custom action definitions that are available for use in the firewall policy’s StatelessDefaultActions setting.
firewall_policy.stateless_custom_actions.first.action_name
- The descriptive name of the custom action.
firewall_policy.stateless_custom_actions.first.action_definition.publish_metric_action.dimensions
- The value to use in an Amazon CloudWatch custom metric dimension.
firewall_policy.stateful_rule_group_references
- References to the stateless rule groups that are used in the policy.
firewall_policy.stateful_rule_group_references.first.resource_arn
- The Amazon Resource Name (ARN) of the stateful rule group.
Examples
Ensure a update token is available.
describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do
its('update_token') { should eq 'UPDATE_TOKEN' }
end
Ensure a policy name is available.
describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do
its('firewall_policy_response.firewall_policy_name') { should eq 'FIREWALL_POLICY_NAME' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The controls will pass if the describe
method returns at least one result.
exist
Use should
to test that the entity exists.
describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do
it { should exist }
end
Use should_not
to test the entity does not exist.
describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do
it { should_not exist }
end
be_available
Use should
to check if the entity is available.
describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do
it { should be_available }
end
AWS Permissions
Your Principal will need the NetworkFirewall:Client:DescribeFirewallPolicyResponse
action with Effect
set to Allow
.
Was this page helpful?