turbot/steampipe-mod-aws-compliance

Control: 1 Service Catalog portfolios should be shared within an AWS organization only

Description

This control checks whether AWS Service Catalog shares portfolios within an organization when the integration with AWS Organizations is enabled. The control fails if portfolios aren't shared within an organization.

Portfolio sharing only within Organizations helps ensure that a portfolio isn't shared with incorrect AWS accounts. To share a Service Catalog portfolio with an account in an organization, Security Hub recommends using ORGANIZATION_MEMBER_ACCOUNT instead of ACCOUNT. This simplifies administration by governing the access granted to the account across the organization. If you have a business need to share Service Catalog portfolios with an external account, you can automatically suppress the findings from this control or disable it.

Remediation

To enable portfolio sharing with AWS Organizations, see Sharing with AWS Organizations in the AWS Service Catalog Administrator Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_servicecatalog_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_servicecatalog_1 --share

SQL

This control uses a named query:

with account_type_servicecatalog_portfolio_share as (
select
portfolio_id,
account_id,
principal_id,
portfolio_display_name,
region
from
aws_servicecatalog_portfolio_share
where
type = 'ACCOUNT'
)
select
coalesce (t.portfolio_id, a.arn) as resource,
case
when t.portfolio_id is null then 'ok'
else 'alarm'
end as status,
case
when t.portfolio_id is null then a.title || ' has no shared portfolios.'
else t.portfolio_display_name || ' shared portfolio with AWS account ' || t.principal_id || '.'
end as reason
, a.region, a.account_id
from
aws_account as a
left join account_type_servicecatalog_portfolio_share t on t.account_id = a.account_id;

Tags