turbot/steampipe-mod-aws-compliance

Control: Glacier vault should restrict public access

Description

Manage access to resources in the AWS Cloud by ensuring AWS Glacier vault cannot be publicly accessed.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.glacier_vault_restrict_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.glacier_vault_restrict_public_access --share

SQL

This control uses a named query:

with wildcard_action_policies as (
select
vault_arn,
count(*) as statements_num
from
aws_glacier_vault,
jsonb_array_elements(policy_std -> 'Statement') as s
where
s ->> 'Effect' = 'Allow'
and (
( s -> 'Principal' -> 'AWS') = '["*"]'
or s ->> 'Principal' = '*'
)
group by
vault_arn
)
select
g.vault_arn as resource,
case
when p.vault_arn is null then 'ok'
else 'alarm'
end as status,
case
when p.vault_arn is null then title || ' does not allow public access.'
else title || ' contains ' || coalesce(p.statements_num, 0) ||
' statements that allow public access.'
end as reason
, g.region, g.account_id
from
aws_glacier_vault as g
left join wildcard_action_policies as p on p.vault_arn = g.vault_arn;

Tags