turbot/aws_compliance

Query: s3_public_access_block_bucket_account

Usage

powerpipe query aws_compliance.query.s3_public_access_block_bucket_account

Steampipe Tables

SQL

select
arn as resource,
case
when (bucket.block_public_acls or s3account.block_public_acls)
and (bucket.block_public_policy or s3account.block_public_policy)
and (bucket.ignore_public_acls or s3account.ignore_public_acls)
and (bucket.restrict_public_buckets or s3account.restrict_public_buckets)
then 'ok'
else 'alarm'
end as status,
case
when (bucket.block_public_acls or s3account.block_public_acls)
and (bucket.block_public_policy or s3account.block_public_policy)
and (bucket.ignore_public_acls or s3account.ignore_public_acls)
and (bucket.restrict_public_buckets or s3account.restrict_public_buckets)
then name || ' all public access blocks enabled.'
else name || ' not enabled for: ' ||
concat_ws(', ',
case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end,
case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end,
case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end,
case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end
) || '.'
end as reason
, bucket.region, bucket.account_id
from
aws_s3_bucket as bucket,
aws_s3_account_settings as s3account
where
s3account.account_id = bucket.account_id;

Controls

The query is being used by the following controls: