Control: EBS snapshots should only be shared with trusted accounts
Description
This control checks whether EBS snapshots access is restricted to trusted accounts.
Usage
Run the control in your terminal:
powerpipe control run aws_perimeter.control.ebs_snapshot_shared_with_trusted_accountsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_perimeter.control.ebs_snapshot_shared_with_trusted_accounts --shareSteampipe Tables
Params
| Args | Name | Default | Description | Variable |
|---|---|---|---|---|
| $1 | trusted_accounts | | A list of trusted accounts. |
SQL
with list_of_snashpot_shared_accounts as ( select jsonb_agg((p -> 'UserId')) as list, arn from aws_ebs_snapshot, jsonb_array_elements(create_volume_permissions) as p group by arn), shared_ebs_snapshot as ( select arn, list, list::jsonb - ($1)::text[] as untrusted_accounts from list_of_snashpot_shared_accounts)select s.arn as resource, case when jsonb_array_length(untrusted_accounts) > 0 then 'info' else 'ok' end status, case when s.create_volume_permissions @> '[{"Group": "all"}]' then s.title || ' publicly restorable.' when jsonb_array_length(untrusted_accounts) > 0 and untrusted_accounts #>> '{0}' != 'all' then s.title || ' shared with ' || case when jsonb_array_length(untrusted_accounts) > 2 then concat('untrusted accounts ', untrusted_accounts #>> '{0}', ', ', untrusted_accounts #>> '{1}', ' and ' || (jsonb_array_length(untrusted_accounts) - 2)::text || ' more.' ) when jsonb_array_length(untrusted_accounts) = 2 then concat('untrusted accounts ', untrusted_accounts #>> '{0}', ' and ', untrusted_accounts #>> '{1}' , '.') else concat('untrusted account ', untrusted_accounts #>> '{0}', '.') end else case when list is null then s.title || ' is not shared.' else s.title || ' shared with trusted account(s).' end end reason , s.region, s.account_idfrom aws_ebs_snapshot as s left join shared_ebs_snapshot as ss on s.arn = ss.arn ;