🚀Launch Week 05, July 22nd - 26th, 2024🚀
Powerpipe Hub 
Hub
Mods
turbot/aws_perimeter
Overview
3Dashboards
62Controls
0Queries
5Variables
GitHub

Control: EBS snapshots should only be shared with trusted accounts

Description

This control checks whether EBS snapshots access is restricted to trusted accounts.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.ebs_snapshot_shared_with_trusted_accounts

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.ebs_snapshot_shared_with_trusted_accounts --share

Steampipe Tables

aws_ebs_snapshot
Amazon Web Services plugin

Params

ArgsNameDefaultDescriptionVariable
$1trusted_accounts
["123456781234","123456781200"]
A list of trusted accounts.

SQL

with list_of_snashpot_shared_accounts as (
  select
    jsonb_agg((p -> 'UserId')) as list,
    arn
  from
    aws_ebs_snapshot,
    jsonb_array_elements(create_volume_permissions) as p
  group by arn
), shared_ebs_snapshot as (
  select
    arn,
    list,
    list::jsonb - ($1)::text[] as untrusted_accounts
  from
    list_of_snashpot_shared_accounts
)
select
  s.arn as resource,
  case
    when jsonb_array_length(untrusted_accounts) > 0 then 'info'
    else 'ok'
  end status,
  case
    when s.create_volume_permissions @> '[{"Group": "all"}]'
    then s.title || ' publicly restorable.'
    when jsonb_array_length(untrusted_accounts) > 0 and untrusted_accounts #>> '{0}' != 'all'
    then s.title || ' shared with ' ||
  case
    when jsonb_array_length(untrusted_accounts) > 2
    then concat('untrusted accounts ', untrusted_accounts #>> '{0}', ', ', untrusted_accounts #>> '{1}', ' and ' || (jsonb_array_length(untrusted_accounts) - 2)::text || ' more.' )
    when jsonb_array_length(untrusted_accounts) = 2
    then concat('untrusted accounts ', untrusted_accounts #>> '{0}', ' and ', untrusted_accounts #>> '{1}' , '.')
    else concat('untrusted account ', untrusted_accounts #>> '{0}', '.')
  end
    else
      case when list is null then s.title || ' is not shared.'
      else s.title || ' shared with trusted account(s).' end
  end reason
  
  , s.region, s.account_id
from
  aws_ebs_snapshot as s left join shared_ebs_snapshot as ss on s.arn = ss.arn ;

Tags

category = Perimeter
plugin = aws
service = AWS/EBS