Control: S3 Multi-Region Access Points should have block public access settings enabled
Description
This control checks whether an Amazon S3 Multi-Region Access Point has block public access settings enabled. The control fails when the Multi-Region Access Point doesn't have block public access settings enabled.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.s3_multi_region_access_point_public_access_blocked
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.s3_multi_region_access_point_public_access_blocked --share
SQL
This control uses a named query:
select 'arn:' || partition || ':s3::' || account_id || ':accesspoint/' || alias as resource, case when (public_access_block -> 'BlockPublicAcls')::bool and (public_access_block -> 'BlockPublicPolicy')::bool and (public_access_block -> 'IgnorePublicAcls')::bool and (public_access_block -> 'RestrictPublicBuckets')::bool then 'ok' else 'alarm' end as status, case when (public_access_block -> 'BlockPublicAcls')::bool and (public_access_block -> 'BlockPublicPolicy')::bool and (public_access_block -> 'IgnorePublicAcls')::bool and (public_access_block -> 'RestrictPublicBuckets')::bool then title || ' block public access settings enabled.' else title || ' public access settings not enabled for: ' || concat_ws(', ', case when not (public_access_block -> 'BlockPublicAcls')::bool then 'BlockPublicAcls' end, case when not (public_access_block -> 'BlockPublicPolicy')::bool then 'BlockPublicPolicy' end, case when not (public_access_block -> 'IgnorePublicAcls')::bool then 'IgnorePublicAcls' end, case when not (public_access_block -> 'RestrictPublicBuckets')::bool then 'RestrictPublicBuckets' end ) || '.' end as reason , account_idfrom aws_s3_multi_region_access_point;