Control: EBS snapshots should not be publicly restorable

Description

This control checks whether EBS snapshots are publicly restorable by everyone, which makes them public. EBS snapshots should not be publicly restorable by everyone unless you explicitly allow it, to avoid accidental exposure of your company’s sensitive data.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.ebs_snapshot_not_publicly_accessible

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.ebs_snapshot_not_publicly_accessible --share

Steampipe Tables

aws_ebs_snapshot

SQL

select
  arn as resource,
  case
    when create_volume_permissions @> '[{"Group": "all", "UserId": null}]' then 'alarm'
    else 'ok'
  end status,
  case
    when create_volume_permissions @> '[{"Group": "all", "UserId": null}]' then title || ' publicly restorable.'
    else title || ' not publicly restorable.'
  end reason
  
  , region, account_id
from
  aws_ebs_snapshot;

Control: EBS snapshots should not be publicly restorable

Description

Usage

Steampipe Tables

SQL

Tags