🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status

Description

Redundant Site-to-Site VPN tunnels can be implemented to achieve resilience requirements.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.vpc_vpn_tunnel_up

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.vpc_vpn_tunnel_up --share

SQL

This control uses a named query:

with filter_data as (
  select
    arn,
    count(t ->> 'Status')
  from
    aws_vpc_vpn_connection,
    jsonb_array_elements(vgw_telemetry) as t
  where t ->> 'Status' = 'UP'
  group by arn
)
select
  a.arn as resource,
  case
    when b.count is null or b.count < 2 then 'alarm'
    else 'ok'
  end as status,
  case
    when b.count is null then a.title || ' has both tunnels offline.'
    when b.count = 1 then a.title || ' has one tunnel offline.'
    else a.title || ' has both tunnels online.'
  end as reason
  
  , region, account_id
from
  aws_vpc_vpn_connection as a
  left join filter_data as b on a.arn = b.arn;

Tags

category = Compliance
fedramp_low_rev_4 = true
fedramp_moderate_rev_4 = true
ffiec = true
gxp_21_cfr_part_11 = true
hipaa_final_omnibus_security_rule_2013 = true
hipaa_security_rule_2003 = true
nist_800_53_rev_4 = true
nist_800_53_rev_5 = true
nist_csf = true
nydfs_23_common_tags = true
plugin = aws
rbi_itf_nbfc = true
service = AWS/VPC