aws_s3_bucket_object resource
Use the aws_s3_bucket_object InSpec audit resource to test properties of a single AWS bucket object.
Each S3 Object has a ‘key’ which can be thought of as the name of the S3 Object which uniquely identifies it.
Syntax
An aws_s3_bucket_object resource block declares a bucket and an object key by name, and then lists tests to be performed.
describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_object_key') do
it { should exist }
it { should_not be_public }
end
Parameters
bucket_name (required)
The S3 Bucket Name which uniquely identifies the bucket. This must be passed as a bucket_name: 'value' key-value entry in a hash.
key (required)
The S3 Bucket Key which uniquely identifies the bucket object. This must be passed as a key: 'value' key-value entry in a hash.
See also the AWS documentation on S3 Buckets.
Properties
| Property | Description |
|---|---|
| bucket_name | The name of the bucket. |
| key | The key within the bucket. |
| content_length | Size of the body in bytes. |
| content_type | A standard MIME type describing the format of the object data. |
| object_acl | An array of AWS Grants detailing permission grants on the bucket object. |
There are also additional properties available. For a comprehensive list, see the API reference documentation.
Examples
Test an object’s object-level ACL
describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do
its('object_acl.count') { should eq 1 }
end
Test an object’s size in bytes is less than 100000
describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do
its('content_length') { should be < 1_000_000 }
end
Test an object’s type is “image/jpeg”
describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do
its('content_type') { should eq "image/jpeg" }
end
Check to see if a object appears to be exposed to the public
describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do
it { should_not be_public }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers (such as exist) please visit our matchers page.
be_public
The be_public matcher tests if the object has potentially insecure access controls. This high-level matcher detects several insecure conditions, which may be enhanced in the future. Currently, the matcher reports an insecure object if any of the following conditions are met:
- A object ACL grant exists for the ‘AllUsers’ group
- A object ACL grant exists for the ‘AuthenticatedUsers’ group
Note
it { should_not be_public }
AWS Permissions
Your Principal will need the s3:GetObject, and s3:GetObjectAcl actions set to allow.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon S3.
© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/resources/aws_s3_bucket_object/