Benchmark: Public Access Settings
This benchmark answers the following questions:
- What resources are publicly accessible?
- Is S3 public access blocked at an account and bucket level?
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-perimeterStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Public Access Settings.
Run this benchmark in your terminal:
powerpipe benchmark run aws_perimeter.benchmark.public_access_settingsSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_perimeter.benchmark.public_access_settings --shareControls
- API Gateway APIs should prohibit public access
- Database Migration Service (DMS) replication instances should not be public
- EBS snapshots should not be publicly restorable
- EC2 AMIs should not be shared publicly
- EKS cluster endpoints should prohibit public access
- RDS DB cluster snapshots should not be publicly restorable
- RDS DB instances should prohibit public access
- RDS DB snapshots should not be publicly restorable
- Redshift clusters should prohibit public access
- S3 bucket ACLs should prohibit public read access
- S3 bucket ACLs should prohibit public write access
- S3 account settings should block public access
- S3 buckets should block public access at bucket level
- SageMaker notebook instances should be prohibited from direct internet access