v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 3 Amazon DocumentDB manual cluster snapshots should not be public

Description

This control checks whether an Amazon DocumentDB manual cluster snapshot is public. The control fails if the manual cluster snapshot is public.

An Amazon DocumentDB manual cluster snapshot should not be public unless intended. If you share an unencrypted manual snapshot as public, the snapshot is available to all AWS accounts. Public snapshots may result in unintended data exposure.

Remediation

To remove public access for Amazon DocumentDB manual cluster snapshots, see Sharing a snapshot in the Amazon DocumentDB Developer Guide. Programmatically, you can use the Amazon DocumentDB operation modify-db-snapshot-attribute. Set attribute-name as restore and values-to-remove as all.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_docdb_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_docdb_3 --share

SQL

This control uses a named query:

docdb_cluster_snapshot_restrict_public_access

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_network_configuration
foundational_security_item_id = docdb_3
plugin = aws
service = AWS/DocumentDB