turbot/steampipe-mod-aws-compliance

Control: S3 Multi-Region Access Points should have block public access settings enabled

Description

This control checks whether an Amazon S3 Multi-Region Access Point has block public access settings enabled. The control fails when the Multi-Region Access Point doesn't have block public access settings enabled.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.s3_multi_region_access_point_public_access_blocked

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.s3_multi_region_access_point_public_access_blocked --share

SQL

This control uses a named query:

select
'arn:' || partition || ':s3::' || account_id || ':accesspoint/' || alias as resource,
case
when (public_access_block -> 'BlockPublicAcls')::bool
and (public_access_block -> 'BlockPublicPolicy')::bool
and (public_access_block -> 'IgnorePublicAcls')::bool
and (public_access_block -> 'RestrictPublicBuckets')::bool
then 'ok'
else 'alarm'
end as status,
case
when (public_access_block -> 'BlockPublicAcls')::bool
and (public_access_block -> 'BlockPublicPolicy')::bool
and (public_access_block -> 'IgnorePublicAcls')::bool
and (public_access_block -> 'RestrictPublicBuckets')::bool
then title || ' block public access settings enabled.'
else title || ' public access settings not enabled for: ' ||
concat_ws(', ',
case when not (public_access_block -> 'BlockPublicAcls')::bool then 'BlockPublicAcls' end,
case when not (public_access_block -> 'BlockPublicPolicy')::bool then 'BlockPublicPolicy' end,
case when not (public_access_block -> 'IgnorePublicAcls')::bool then 'IgnorePublicAcls' end,
case when not (public_access_block -> 'RestrictPublicBuckets')::bool then 'RestrictPublicBuckets' end
) || '.'
end as reason
, account_id
from
aws_s3_multi_region_access_point;

Tags