Control: S3 Multi-Region Access Points should have block public access settings enabled

powerpipe control run aws_compliance.control.s3_multi_region_access_point_public_access_blocked

powerpipe login
powerpipe control run aws_compliance.control.s3_multi_region_access_point_public_access_blocked --share

select
  'arn:' || partition || ':s3::' || account_id || ':accesspoint/' || alias as resource,
  case
    when (public_access_block -> 'BlockPublicAcls')::bool
      and (public_access_block -> 'BlockPublicPolicy')::bool
      and (public_access_block -> 'IgnorePublicAcls')::bool
      and (public_access_block -> 'RestrictPublicBuckets')::bool
      then 'ok'
    else 'alarm'
  end as status,
  case
    when (public_access_block -> 'BlockPublicAcls')::bool
      and (public_access_block -> 'BlockPublicPolicy')::bool
      and (public_access_block -> 'IgnorePublicAcls')::bool
      and (public_access_block -> 'RestrictPublicBuckets')::bool
      then title || ' block public access settings enabled.'
    else title || ' public access settings not enabled for: ' ||
      concat_ws(', ',
        case when not (public_access_block -> 'BlockPublicAcls')::bool then 'BlockPublicAcls' end,
        case when not (public_access_block -> 'BlockPublicPolicy')::bool then 'BlockPublicPolicy' end,
        case when not (public_access_block -> 'IgnorePublicAcls')::bool then 'IgnorePublicAcls' end,
        case when not (public_access_block -> 'RestrictPublicBuckets')::bool then 'RestrictPublicBuckets' end
      ) || '.'
  end as reason
  , account_id
from
  aws_s3_multi_region_access_point;