Skip to main content

aws_rds_snapshot_attributes Resource

Use the aws_rds_snapshotattributes InSpec audit resource to test the detailed properties of an individual RDS snapshot attrbutes.

For additional information, including details on parameters and properties, see the AWS documentation on RDS.


This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.


An aws_rds_snapshot_attributes resource block uses resource parameters to search for an RDS snapshot and test the respective RDS snapshot attributes.

No error is raised if no RDS snapshots match. However, the exists matcher will return false, and all properties will be nil.

An error is raised if more than one RDS snapshot matches (due to vague search parameters).

describe aws_rds_snapshot_attributes('TEST-SNAPSHOT-ID') do
  it { should exist }
# Can also use hash syntax
describe aws_rds_snapshot_attributes(db_snapshot_identifier: 'TEST-SNAPSHOT-ID') do
  it { should exist }



This resource accepts a single parameter either as a string or a db_snapshot_identifier: 'value' key-value entry in a hash. This parameter is user-supplied DB snapshot identifier. This parameter isn’t case-sensitive and is a required parameter.


The unique ID of the RDS snapshot returned.
The name of the attribute returned for a RDS snapshot.
The attribute values associated with the attribute_name.


Tests the attribute name of RDS snapshot.

describe aws_rds_snapshot-attributes(db_snapshot_identifier: 'AWSRDS123') do
  its ('attribute_name') { should eq 'restore' }

Tests the attribute value of attribute name for a RDS snapshot.

describe aws_rds_snapshot_attributes(db_snapshot_identifier: 'AWSRDS123').where('attribute_name' == 'restore') do
  its('attribute_values') { should_not include 'all' }


For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.


The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_rds_snapshot_attributes(db_snapshot_identifier: 'AnExistingRDS') do
  it { should exist }
describe aws_rds_snapshot_attributes(db_snapshot_identifier: 'ANonExistentRDS') do
  it { should_not exist }

AWS Permissions

Your Principal will need the RDS:Client:DescribeDBSnapshotAttributesResult action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon RDS.

Edit this page on GitHub

Thank you for your feedback!


Search Results