action_trail_enabledaction_trail_oss_bucket_not_publiccs_kubernetes_cluster_cloud_monitor_enabledcs_kubernetes_cluster_ipvlan_enabledcs_kubernetes_cluster_log_service_enabledcs_kubernetes_cluster_network_policy_enabledcs_kubernetes_cluster_private_cluster_enabledecs_disk_encryption_enabledecs_instance_latest_os_patches_appliedecs_instance_with_no_legacy_networkecs_security_center_agent_installedecs_security_group_remote_administrationecs_security_group_restrict_ingress_rdp_allecs_security_group_restrict_ingress_ssh_allecs_unattached_disk_encryption_enabledlog_store_retention_period_365_daysmanual_controloss_bucket_encrypted_with_byokoss_bucket_encrypted_with_service_keyoss_bucket_enforces_ssloss_bucket_logging_enabledoss_bucket_public_access_blockedram_account_password_policy_min_length_14ram_account_password_policy_one_lowercase_letterram_account_password_policy_one_numberram_account_password_policy_one_symbolram_account_password_policy_one_uppercase_letterram_account_password_policy_reuse_5ram_password_policy_expire_365_or_greaterram_password_policy_expire_90ram_password_policy_max_login_attempts_5ram_policy_no_full_wildcard_privilegesram_root_account_mfa_enabledram_root_account_no_access_keysram_root_account_unusedram_user_access_key_rotated_90ram_user_console_access_mfa_enabledram_user_no_policiesram_user_unused_90rds_instance_postgresql_log_connections_parameter_onrds_instance_postgresql_log_disconnections_parameter_onrds_instance_postgresql_log_duration_parameter_onrds_instance_restrict_access_to_internetrds_instance_sql_audit_enabledrds_instance_sql_audit_retention_period_180_daysrds_instance_ssl_enabledrds_instance_tde_enabledrds_instance_tde_encrypted_with_byoksecurity_center_advanced_or_enterprise_editionsecurity_center_all_assets_installed_with_agentsls_alert_cloud_firewall_changessls_alert_console_authentication_failuressls_alert_console_signin_without_mfasls_alert_kms_key_disable_deletionsls_alert_oss_bucket_policy_changessls_alert_oss_permission_changessls_alert_ram_role_changessls_alert_rds_configuration_changessls_alert_root_account_usagesls_alert_security_group_changessls_alert_unauthorized_api_callssls_alert_vpc_changessls_alert_vpc_route_changesvpc_and_vswitch_flow_log_integrated_with_log_servicevpc_flow_logs_enabled
Query: sls_alert_vpc_changes
Usage
powerpipe query alicloud_compliance.query.sls_alert_vpc_changesSteampipe Tables
SQL
with actiontrail_check as ( select name as trail_name, account_id, status, sls_project_arn, sls_write_role_arn, home_region, trail_region, substring(sls_project_arn from 'acs:log:([^:]+):') as sls_region, substring(sls_project_arn from 'project/([^/]+)') as sls_project_name from alicloud_action_trail where status = 'Enable' and sls_project_arn is not null), alert_check as ( select project, region, name as alert_name, display_name, status as alert_status, coalesce( query_obj ->> 'Query', query_obj ->> 'query', query_obj::text ) as query_text from alicloud_sls_alert, jsonb_array_elements(query_list) as query_obj where (status = 'ENABLED' or status is null) and query_list is not null and ( coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.serviceName="Ecs"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.serviceName="Vpc"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.serviceName": "Ecs"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.serviceName": "Vpc"%' ) and ( coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="CreateVpc"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="DeleteVpc"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="DisableVpcClassicLink"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="EnableVpcClassicLink"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="DeletionProtection"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="AssociateVpcCidrBlock"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="UnassociateVpcCidrBlock"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="RevokeInstanceFromCen"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="CreateVSwitch"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="DeleteVSwitch"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "CreateVpc"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "DeleteVpc"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "DisableVpcClassicLink"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "EnableVpcClassicLink"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "DeletionProtection"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "AssociateVpcCidrBlock"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "UnassociateVpcCidrBlock"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "RevokeInstanceFromCen"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "CreateVSwitch"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "DeleteVSwitch"%' )),matched_pairs as ( select distinct at.trail_name, at.sls_region, at.home_region, ac.alert_name, ac.region as alert_region from actiontrail_check at inner join alert_check ac on trim(lower(coalesce(at.sls_region, ''))) = trim(lower(coalesce(ac.region, ''))) and at.sls_region is not null and ac.region is not null and at.sls_region != '' and ac.region != '')select 'acs:actiontrail:' || at.home_region || ':' || at.account_id || ':actiontrail/' || at.name as resource, case when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then 'ok' else 'alarm' end as status, case when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then at.name || ' is configured with ActionTrail enabled, delivering to SLS project in region ' || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', and has a VPC change monitoring alert configured' when at.status = 'Enable' and at.sls_project_arn is not null then at.name || ' is configured with ActionTrail enabled and delivering to SLS project in region ' || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', but no VPC change monitoring alert found in that region' when at.status = 'Enable' and at.sls_project_arn is null then at.name || ' is enabled but not configured to deliver logs to SLS' else at.name || ' is not enabled' end as reason , account_id as account_id, region as regionfrom alicloud_action_trail at;
Controls
The query is being used by the following controls: