Control: EFS file systems should restrict public access
Description
Manage access to resources in the AWS Cloud by ensuring AWS EFS file systems cannot be publicly accessed.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.efs_file_system_restrict_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.efs_file_system_restrict_public_access --shareSQL
This control uses a named query:
with wildcard_action_policies as ( select arn, count(*) as statements_num from aws_efs_file_system, jsonb_array_elements(policy_std -> 'Statement') as s where s ->> 'Effect' = 'Allow' and ( ( s -> 'Principal' -> 'AWS') = '["*"]' or s ->> 'Principal' = '*' ) group by arn)select f.arn as resource, case when p.arn is null then 'ok' else 'alarm' end as status, case when p.arn is null then title || ' does not allow public access.' else title || ' contains ' || coalesce(p.statements_num, 0) || ' statements that allows public access.' end as reason , f.region, f.account_idfrom aws_efs_file_system as f left join wildcard_action_policies as p on p.arn = f.arn;