Control: Security contact information should be provided for an AWS account

Description

This control checks if an AWS Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.account_alternate_contact_security_registered

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.account_alternate_contact_security_registered --share

SQL

This control uses a named query:

with alternate_security_contact as (
  select
    name,
    account_id
  from
    aws_account_alternate_contact
  where
    contact_type = 'SECURITY'
),
account as (
  select
    arn,
    partition,
    title,
    account_id,
    _ctx
  from
    aws_account
)
select
  arn as resource,
  case
    when a.partition = 'aws-us-gov' then 'info'
    -- Name is a required field if setting a security contact
    when c.name is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.'
    when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.'
    else a.title || ' security contact not registered.'
  end as reason
  , a.account_id
from
  account as a
  left join alternate_security_contact as c on  c.account_id = a.account_id;

Control: Security contact information should be provided for an AWS account

Description

Usage

SQL

Tags