turbot/steampipe-mod-aws-compliance

Control: MSK clusters should have public access disabled

Description

This control checks whether public access is disabled for an Amazon MSK cluster. The control fails if public access is enabled for the MSK cluster.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.msk_cluster_not_publicly_accessible

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.msk_cluster_not_publicly_accessible --share

SQL

This control uses a named query:

select
arn as resource,
case
when provisioned -> 'BrokerNodeGroupInfo' -> 'ConnectivityInfo' -> 'PublicAccess' ->> 'Type' = 'DISABLED' then 'ok'
else 'alarm'
end as status,
case
when provisioned -> 'BrokerNodeGroupInfo' -> 'ConnectivityInfo' -> 'PublicAccess' ->> 'Type' = 'DISABLED' then title || ' restricts public access.'
else title || ' allows public access.'
end as reason
, region, account_id
from
aws_msk_cluster;

Tags