v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_perimeter
Overview
3Dashboards
62Controls
0Queries
5Variables
GitHub

Control: RDS DB snapshots should not be publicly restorable

Description

This control checks whether RDS DB snapshots prohibit access to other accounts. It is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.rds_db_snapshot_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.rds_db_snapshot_prohibit_public_access --share

Steampipe Tables

aws_rds_db_snapshot
Amazon Web Services plugin

SQL

select
  arn as resource,
  case
    when database_snapshot -> 'AttributeValues' = '["all"]' then 'alarm'
    else 'ok'
  end status,
  case
    when database_snapshot -> 'AttributeValues' = '["all"]' then title || ' publicly restorable.'
    else title || ' not publicly restorable.'
  end reason
  
  , region, account_id
from
  aws_rds_db_snapshot,
  jsonb_array_elements(db_snapshot_attributes) as database_snapshot;

Tags

category = Perimeter
plugin = aws
service = AWS/RDS