Control: 172 EC2 VPC Block Public Access settings should block internet gateway traffic
Description
This control checks whether Amazon EC2 VPC Block Public Access (BPA) settings are configured to block internet gateway traffic for all Amazon VPCs in the AWS account. The control fails if VPC BPA settings aren't configured to block internet gateway traffic. For the control to pass, the VPC BPA InternetGatewayBlockMode must be set to block-bidirectional or block-ingress. If the parameter vpcBpaInternetGatewayBlockMode is provided, the control passes only if the VPC BPA value for InternetGatewayBlockMode matches the parameter.
Configuring the VPC BPA settings for your account in an AWS Region lets you block resources in VPCs and subnets that you own in that Region from reaching or being reached from the internet through internet gateways and egress-only internet gateways. If you need specific VPCs and subnets to be able to reach or be reachable from the internet, you can exclude them by configuring VPC BPA exclusions. For instructions on creating and deleting exclusions, see Create and delete exclusions in the Amazon VPC User Guide.
Remediation
To enable bi-directional BPA at the account level, see Enable BPA bidirectional mode for your account in the Amazon VPC User Guide. To enable ingress-only BPA, see Change VPC BPA mode to ingress-only. To enable VPC BPA at the Organization level, see Enable VPC BPA at the Organization level.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ec2_172
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ec2_172 --share
SQL
This control uses a named query:
select 'arn:' || partition || '::' || region || ':' || account_id as resource, case when internet_gateway_block_mode in ('block-bidirectional', 'block-ingress') then 'ok' else 'alarm' end as status, case when internet_gateway_block_mode in ('block-bidirectional', 'block-ingress') then title || ' restricts internet gateway traffic.' else title || ' allows internet gateway traffic.' end as reason , region, account_idfrom aws_vpc_block_public_access_options;