turbot/aws_compliance

Query: cloudtrail_s3_object_read_events_audit_enabled

Usage

powerpipe query aws_compliance.query.cloudtrail_s3_object_read_events_audit_enabled

SQL

with s3_selectors as
(
select
name as trail_name,
is_multi_region_trail,
bucket_selector
from
aws_cloudtrail_trail,
jsonb_array_elements(event_selectors) as event_selector,
jsonb_array_elements(event_selector -> 'DataResources') as data_resource,
jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector
where
is_multi_region_trail
and data_resource ->> 'Type' = 'AWS::S3::Object'
and event_selector ->> 'ReadWriteType' in
(
'ReadOnly',
'All'
)
)
select
b.arn as resource,
case
when count(bucket_selector) > 0 then 'ok'
else 'alarm'
end as status,
case
when count(bucket_selector) > 0 then b.name || ' object-level read events logging enabled.'
else b.name || ' object-level read events logging disabled.'
end as reason
, region, account_id
from
aws_s3_bucket as b
left join
s3_selectors
on bucket_selector like (b.arn || '%')
or bucket_selector = 'arn:aws:s3'
group by
b.account_id, b.region, b.arn, b.name, b.tags, b._ctx;

Controls

The query is being used by the following controls: