🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 3 Amazon DocumentDB manual cluster snapshots should not be public

Description

This control checks whether an Amazon DocumentDB manual cluster snapshot is public. The control fails if the manual cluster snapshot is public.

An Amazon DocumentDB manual cluster snapshot should not be public unless intended. If you share an unencrypted manual snapshot as public, the snapshot is available to all AWS accounts. Public snapshots may result in unintended data exposure.

Remediation

To remove public access for Amazon DocumentDB manual cluster snapshots, see Sharing a snapshot in the Amazon DocumentDB Developer Guide. Programmatically, you can use the Amazon DocumentDB operation modify-db-snapshot-attribute. Set attribute-name as restore and values-to-remove as all.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_docdb_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_docdb_3 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '["all"]' then 'alarm'
    else 'ok'
  end status,
  case
    when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '["all"]' then title || ' does not restrict public access.'
    else title || ' restrict public access.'
  end reason
  
  , region, account_id
from
  aws_docdb_cluster_snapshot,
  jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_network_configuration
foundational_security_item_id = docdb_3
plugin = aws
service = AWS/DocumentDB