turbot/steampipe-mod-aws-compliance

Control: EC2 VPC Block Public Access settings should block internet gateway traffic

Description

This control checks whether Amazon EC2 VPC Block Public Access (BPA) settings are configured to block internet gateway traffic for all Amazon VPCs in the AWS account. The control fails if VPC BPA settings aren't configured to block internet gateway traffic. For the control to pass, the VPC BPA InternetGatewayBlockMode must be set to block-bidirectional or block-ingress. If the parameter vpcBpaInternetGatewayBlockMode is provided, the control passes only if the VPC BPA value for InternetGatewayBlockMode matches the parameter.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.vpc_block_public_access_restrict_internet_gateway_traffic

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.vpc_block_public_access_restrict_internet_gateway_traffic --share

SQL

This control uses a named query:

select
'arn:' || partition || '::' || region || ':' || account_id as resource,
case
when internet_gateway_block_mode in ('block-bidirectional', 'block-ingress') then 'ok'
else 'alarm'
end as status,
case
when internet_gateway_block_mode in ('block-bidirectional', 'block-ingress') then title || ' restricts internet gateway traffic.'
else title || ' allows internet gateway traffic.'
end as reason
, region, account_id
from
aws_vpc_block_public_access_options;

Tags