Skip to main content

aws_rds_clusters resource

[edit on GitHub]

Use the aws_rds_clusters InSpec audit resource to test properties of a collection of AWS RDS clusters.

RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server.


Ensure you have exactly 3 clusters

describe aws_rds_clusters do
  its('db_cluster_identifiers.count') { should cmp 3 }


This resource does not expect any parameters.

See also the AWS documentation on RDS.


cluster_identifierThe unique IDs of the RDS clusters returned.
database_nameThe name of the database associated with each RDS cluster.
cluster_\membersThe RDS instances attached to each RDS cluster.
engineThe name of the database engine used by each cluster.
engine_versionThe version of the database engine used by each cluster.
statusThe current status of each cluster.
allocated_storageThe storage allocated to each cluster.
storage_encryptedReturns T/F whether the cluster is encrypted or not.
availability_zonesA list of availability zones of the RDS clusters returned.
multi_azReturns T/F depending on whether multiple availability zones are used in the cluster.
arnThe unique Amazon resource name of the RDS clusters.


Ensure a specific cluster exists

describe aws_rds_clusters do
  its('db_cluster_identifier') { should include 'cluster-12345678' }

Test That All RDS Clusters Are Encrypted by ID

Use the InSpec resource to request the IDs of all RDS clusters, then test in-depth using aws_rds_cluster to ensure all clusters are encrypted and have a sensible size.

aws_rds_clusters.cluster_identifier.each do |cluster_identifier|
    describe aws_rds_cluster(cluster_identifier) do
      it { should have_encrypted_storage }


For a full list of available matchers, please visit our Universal Matchers page.


The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_rds_clusters do
  it { should exist }

describe aws_rds_clusters do
  it { should_not exist }

Your Principal will need the ec2:Describeclusters, and iam:GetInstanceProfile actions set to allow. You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.

Was this page helpful?


Search Results