🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 172 EC2 VPC Block Public Access settings should block internet gateway traffic

Description

This control checks whether Amazon EC2 VPC Block Public Access (BPA) settings are configured to block internet gateway traffic for all Amazon VPCs in the AWS account. The control fails if VPC BPA settings aren't configured to block internet gateway traffic. For the control to pass, the VPC BPA InternetGatewayBlockMode must be set to block-bidirectional or block-ingress. If the parameter vpcBpaInternetGatewayBlockMode is provided, the control passes only if the VPC BPA value for InternetGatewayBlockMode matches the parameter.

Configuring the VPC BPA settings for your account in an AWS Region lets you block resources in VPCs and subnets that you own in that Region from reaching or being reached from the internet through internet gateways and egress-only internet gateways. If you need specific VPCs and subnets to be able to reach or be reachable from the internet, you can exclude them by configuring VPC BPA exclusions. For instructions on creating and deleting exclusions, see Create and delete exclusions in the Amazon VPC User Guide.

Remediation

To enable bi-directional BPA at the account level, see Enable BPA bidirectional mode for your account in the Amazon VPC User Guide. To enable ingress-only BPA, see Change VPC BPA mode to ingress-only. To enable VPC BPA at the Organization level, see Enable VPC BPA at the Organization level.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_172

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_172 --share

SQL

This control uses a named query:

select
  'arn:' || partition || '::' || region || ':' || account_id as resource,
  case
    when internet_gateway_block_mode in ('block-bidirectional', 'block-ingress') then 'ok'
    else 'alarm'
  end as status,
  case
    when internet_gateway_block_mode in ('block-bidirectional', 'block-ingress') then title || ' restricts internet gateway traffic.'
    else title || ' allows internet gateway traffic.'
  end as reason
  , region, account_id
from
  aws_vpc_block_public_access_options;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resources_not_publicly_accessible
foundational_security_item_id = ec2_172
plugin = aws
service = AWS/EC2