🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 3 EventBridge custom event buses should have a resource-based policy attached

Description

This control checks if an Amazon EventBridge custom event bus has a resource-based policy attached. This control fails if the custom event bus doesn't have a resource-based policy.

By default, an EventBridge custom event bus doesn't have a resource-based policy attached. This allows principals in the account to access the event bus. By attaching a resource-based policy to the event bus, you can limit access to the event bus to specified accounts, as well as intentionally grant access to entities in another account.

Remediation

To attach a resource-based policy to an EventBridge custom event bus, see Managing event bus permissions in the Amazon EventBridge User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_eventbridge_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_eventbridge_3 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when name = 'default' then 'skip'
    when policy_std is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when name = 'default' then title || ' is default event bus.'
    when policy_std is not null then title || ' has resource based policy attached.'
    else title || ' does not have resource based policy attached.'
  end as reason
  
  , region, account_id
from
  aws_eventbridge_bus;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resource_policy_configuration
foundational_security_item_id = eventbridge_3
plugin = aws
service = AWS/EventBridge