Control: EC2 VPC Block Public Access settings should block internet gateway traffic
Description
This control checks whether Amazon EC2 VPC Block Public Access (BPA) settings are configured to block internet gateway traffic for all Amazon VPCs in the AWS account. The control fails if VPC BPA settings aren't configured to block internet gateway traffic. For the control to pass, the VPC BPA InternetGatewayBlockMode must be set to block-bidirectional or block-ingress. If the parameter vpcBpaInternetGatewayBlockMode is provided, the control passes only if the VPC BPA value for InternetGatewayBlockMode matches the parameter.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.vpc_block_public_access_restrict_internet_gateway_traffic
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.vpc_block_public_access_restrict_internet_gateway_traffic --share
SQL
This control uses a named query:
select 'arn:' || partition || '::' || region || ':' || account_id as resource, case when internet_gateway_block_mode in ('block-bidirectional', 'block-ingress') then 'ok' else 'alarm' end as status, case when internet_gateway_block_mode in ('block-bidirectional', 'block-ingress') then title || ' restricts internet gateway traffic.' else title || ' allows internet gateway traffic.' end as reason , region, account_idfrom aws_vpc_block_public_access_options;