turbot/steampipe-mod-aws-compliance

Control: Elastic Beanstalk environment should have managed updates enabled

Description

This control checks whether managed platform updates in an AWS Elastic Beanstalk environment is enabled. The rule is COMPLIANT if the value for ManagedActionsEnabled is set to true. The rule is NON_COMPLIANT if the value for ManagedActionsEnabled is set to false, or if a parameter is provided and its value does not match the existing configurations.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.elastic_beanstalk_environment_managed_updates_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.elastic_beanstalk_environment_managed_updates_enabled --share

SQL

This control uses a named query:

with beanstalk_environment_logs_enabled as (
select
distinct e.arn
from
aws_elastic_beanstalk_environment as e,
jsonb_array_elements(e.configuration_settings) as c,
jsonb_array_elements(c -> 'OptionSettings') as s
where
s ->> 'OptionName' = 'ManagedActionsEnabled'
and s ->> 'Value' = 'true'
group by
arn
)
select
e.arn as resource,
case
when l.arn is not null then 'ok'
else 'alarm'
end as status,
case
when l.arn is not null then title || ' managed actions Enabled.'
else title || ' managed actions disabled.'
end as reason,
region,
account_id
from
aws_elastic_beanstalk_environment as e
left join beanstalk_environment_logs_enabled as l on e.arn = l.arn;

Tags