Control: Glacier vault should restrict public access
Description
Manage access to resources in the AWS Cloud by ensuring AWS Glacier vault cannot be publicly accessed.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.glacier_vault_restrict_public_access
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.glacier_vault_restrict_public_access --share
SQL
This control uses a named query:
with wildcard_action_policies as ( select vault_arn, count(*) as statements_num from aws_glacier_vault, jsonb_array_elements(policy_std -> 'Statement') as s where s ->> 'Effect' = 'Allow' and ( ( s -> 'Principal' -> 'AWS') = '["*"]' or s ->> 'Principal' = '*' ) group by vault_arn)select g.vault_arn as resource, case when p.vault_arn is null then 'ok' else 'alarm' end as status, case when p.vault_arn is null then title || ' does not allow public access.' else title || ' contains ' || coalesce(p.statements_num, 0) || ' statements that allow public access.' end as reason , g.region, g.account_idfrom aws_glacier_vault as g left join wildcard_action_policies as p on p.vault_arn = g.vault_arn;