aws_organizations_member resource

[edit on GitHub]

Use the aws_organizations_member InSpec audit resource to test the current AWS Account being used within an organization.

Syntax

An aws_organizations_member resource block tests if the current AWS Account is the Master Account.

The master matcher will return true or false accordingly. You may also verify that the master_account_id and master_account_arn properties match known values.

If the current AWS Account is the Master Account, you may also access properties of that account.

describe aws_organizations_member do
    it { should exist }
end

Parameters

This resource does not expect any parameters.

Note

This resource must target AWS Region us-east-1. If another region is specified in your configuration, it will be overwritten at runtime.

Properties

Property Description
master_account_id The ID of the AWS Organizations Master Account
master_account_arn The ARN of the AWS Organizations Master Account

If the current Account is the Master Account, the following properties are also available:

Property Description
account_id The ID of the current Account.
account_arn The ARN of the current Account.
account_name The Name of the current Account.
account_email The Email address associated with the current Account.

Examples

Ensure you are a child account with a certain ID for the top level account.

describe aws_organizations_member do
  it                       { should_not be_master }
  its('master_account_id') { should cmp '56845218745' }
end

Ensure you are the top level account, with the right name and email associated.

describe aws_organizations_member do
  it                   { should be_master }
  its('account_name')  { should eq 'MyAWSMasterAccount' }
  its('account_email') { should eq '[email protected]' }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

be_master

The be_master matcher tests if the account is a ‘master’ AWS Account.

it { should_not be_master }

exist

The control will pass if the describe returns at least one result.

it { should exist }

© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/resources/aws_organizations_member/