Control: CloudWatch should not allow cross-account sharing
Description
Ensure that your AWS CloudWatch is configured to allow access only to friendly AWS accounts in order to prevent unauthorized users from sharing their CloudWatch events.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cloudwatch_cross_account_sharingSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cloudwatch_cross_account_sharing --shareSQL
This control uses a named query:
with iam_role_cross_account_sharing_count as ( select arn, replace(replace(replace((a -> 'Principal' ->> 'AWS'), '[',''), ']', ''), '"', '') as cross_account_details, account_id from aws_iam_role, jsonb_array_elements(assume_role_policy_std -> 'Statement') as a where name = 'CloudWatch-CrossAccountSharingRole')select a.arn as resource, case when c.arn is null then 'ok' else 'info' end as status, case when c.arn is null then 'CloudWatch does not allow cross-account sharing.' else 'CloudWatch allow cross-account sharing with '|| cross_account_details || '.' end as reason , a.account_idfrom aws_account as a left join iam_role_cross_account_sharing_count as c on c.account_id = a.account_id;