🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: Amazon DocumentDB manual cluster snapshots should not be public

Description

This control checks whether an Amazon DocumentDB manual cluster snapshot is public. The control fails if the manual cluster snapshot is public.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.docdb_cluster_snapshot_restrict_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.docdb_cluster_snapshot_restrict_public_access --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '["all"]' then 'alarm'
    else 'ok'
  end status,
  case
    when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '["all"]' then title || ' does not restrict public access.'
    else title || ' restrict public access.'
  end reason
  
  , region, account_id
from
  aws_docdb_cluster_snapshot,
  jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot;

Tags

acsc_essential_eight = true
category = Compliance
plugin = aws
service = AWS/DocumentDB