Back to docs
Evidence Collection

Live AWS Tests

Collect read-only AWS evidence to give agents accurate recovery data. No mutations, just reads.

The normal test suite is deterministic and does not call AWS. Live AWS checks are opt-in and read-only.

What They Verify

tests/aws-live.test.ts signs a direct STS GetCallerIdentity request using the same built-in AWS SigV4 client used by Recourse evidence readers. It verifies that the test environment can authenticate to the configured AWS account without adding the AWS SDK or AWS CLI as a dependency.

No resources are created, updated, or deleted.

When AWS_LIVE_S3_BUCKET is set, the live suite collects read-only S3 evidence:

  • versioning status
  • object lock configuration
  • replication configuration
  • lifecycle configuration
  • empty/non-empty status

When AWS_LIVE_RDS_INSTANCE is set, the live suite collects read-only RDS evidence:

  • deletion protection
  • backup retention
  • latest restorable time
  • Multi-AZ and replica signals
  • snapshot inventory

When AWS_LIVE_DYNAMODB_TABLE is set, the live suite collects read-only DynamoDB evidence:

  • deletion protection
  • point-in-time recovery status
  • on-demand backup inventory
  • approximate item count
  • replica regions

Do not paste AWS secrets into issues, PRs, docs, or agent prompts. Keep credentials in environment variables or ~/.aws/credentials.

Running

npm run test:aws-live

Set AWS_PROFILE to use a non-default shared credentials profile:

AWS_PROFILE=recourse-dev npm run test:aws-live

If RUN_AWS_LIVE_TESTS=1 is not set, the live test file is skipped by Vitest.

To include optional evidence checks:

AWS_LIVE_S3_BUCKET=my-readonly-test-bucket npm run test:aws-live
AWS_LIVE_RDS_INSTANCE=my-db npm run test:aws-live
AWS_LIVE_DYNAMODB_TABLE=my-table npm run test:aws-live
AWS_LIVE_IAM_ROLE=my-role npm run test:aws-live
AWS_LIVE_KMS_KEY_ID=1234abcd-12ab-34cd-56ef-1234567890ab npm run test:aws-live

Collecting Evidence

Use the CLI to collect read-only evidence:

recourse evidence aws-s3 my-bucket --region us-east-1
recourse evidence aws-rds my-db --region us-east-1
recourse evidence aws-dynamodb my-table --region us-east-1
recourse evidence aws-iam-role my-role
recourse evidence aws-kms-key 1234abcd-12ab-34cd-56ef-1234567890ab --region us-east-1

Feed that evidence into shell or MCP evaluation:

recourse evaluate shell 'aws s3 rm s3://my-bucket --recursive' \
  --aws-s3-evidence s3-evidence.json \
  --fail-on block

recourse evaluate shell 'aws rds delete-db-instance --db-instance-identifier my-db --skip-final-snapshot' \
  --aws-rds-evidence rds-evidence.json \
  --fail-on block