🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: EC2 instances high level findings should not be there in inspector scans

Description

AWS Inspector scans operating system packages installed on your AWS EC2 instances for vulnerabilities and network reachability issues. Each finding has the name of the detected vulnerability and provides a severity rating, information about the affected resource, and details such as how to remediate the reported vulnerability.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.ec2_instance_no_high_level_finding_in_inspector_scan

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.ec2_instance_no_high_level_finding_in_inspector_scan --share

SQL

This control uses a named query:

with severity_list as (
  select
    distinct title ,
    a ->> 'Value' as instance_id
  from
    aws_inspector_finding,
    jsonb_array_elements(attributes) as a
  where
    severity = 'High'
    and asset_type = 'ec2-instance'
    and a ->> 'Key' = 'INSTANCE_ID'
  group by
    a ->> 'Value',
    title
), ec2_istance_list as (
  select
    distinct instance_id
  from
    severity_list
)
select
  arn as resource,
  case
    when l.instance_id is null then 'ok'
    else 'alarm'
  end as status,
  case
    when l.instance_id is null then i.title || ' has no high level finding in inspector scans.'
    else i.title || ' has ' || (select count(*) from severity_list where instance_id = i.instance_id) || ' high level findings in inspector scans.'
  end as reason
  
  , i.region, i.account_id
from
  aws_ec2_instance as i
  left join ec2_istance_list as l on i.instance_id = l.instance_id;

Tags

category = Compliance
plugin = aws
service = AWS/EC2