Previously, you had to write compliance checks as scripts in Systems Manager to receive configuration compliance information. Now, you can use InSpec to create custom configuration compliance profiles, written in InSpec’s human readable Domain Specific Language (DSL). You can also use prebuilt profiles created by the InSpec community. For example, you can run scans using these profiles to ensure instance ports are open or closed, check if a service such as Apache is running, or scan your Windows registry keys for specific properties.
InSpec scans can be run using AWS-RunInSpecChecks, a new Systems Manager Document, and selecting a GitHub repository or an Amazon S3 bucket as the source type. You can schedule infrastructure scans to run using Systems Manager’s state manager feature. After running your scans, you can view the results through Systems Manager’s compliance insight by choosing compliance type Custom:InSpec.
This feature is available in all AWS Regions where AWS Systems Manager is offered.
