v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_perimeter
Overview
3Dashboards
62Controls
0Queries
5Variables
GitHub

Control: Amazon OpenSearch domains should be in a VPC private subnet

Description

This control checks whether Amazon OpenSearch domains are in a VPC with no public subnets associated to it.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.opensearch_domain_in_vpc

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.opensearch_domain_in_vpc --share

Steampipe Tables

aws_opensearch_domain
aws_vpc_route_table
Amazon Web Services plugin

SQL

with public_subnets as (
  select
    distinct a -> 'SubnetId' as SubnetId
  from
    aws_vpc_route_table as t,
    jsonb_array_elements(associations) as a,
    jsonb_array_elements(routes) as r
  where
    r ->> 'DestinationCidrBlock' = '0.0.0.0/0'
    and r ->> 'GatewayId' like 'igw-%'
), opensearch_domain_with_public_subnet as (
  select
    arn
  from
    aws_opensearch_domain ,
    jsonb_array_elements(vpc_options -> 'SubnetIds') as s
  where
    s in (select SubnetId from public_subnets)
)
select
  d.arn as resource,
  case
    when d.vpc_options ->> 'VPCId' is null then 'alarm'
    when d.vpc_options ->> 'VPCId' is not null and p.arn is not null then 'alarm'
    else 'ok'
  end status,
  case
    when vpc_options ->> 'VPCId' is null then title || ' not in VPC.'
    when d.vpc_options ->> 'VPCId' is not null and p.arn is not null then title || ' attached to public subnet.'
    else title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.'
  end reason
  
  , d.region, d.account_id
from
  aws_opensearch_domain as d
  left join opensearch_domain_with_public_subnet as p on d.arn = p.arn;

Tags

category = Perimeter
plugin = aws
service = AWS/OpenSearch