Control: VPCs peering connection route tables should have least privilege

Description

Ensure that all VPCs peering connection route tables have least privilege.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.vpc_peering_connection_route_table_least_privilege

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.vpc_peering_connection_route_table_least_privilege --share

SQL

This control uses a named query:

with vpc_peering_routing_tables as (
  select
    r ->> 'VpcPeeringConnectionId' as peering_connection_id
  from
    aws_vpc_route_table,
    jsonb_array_elements(routes) as r
    inner join aws_vpc_peering_connection as c on r ->> 'VpcPeeringConnectionId' = c.id
  where
    ( r ->> 'DestinationCidrBlock' = '0.0.0.0/0'
      or r ->> 'DestinationCidrBlock' = '::/0'
      or (r ->> 'DestinationCidrBlock')::cidr = c.accepter_cidr_block
      or (r ->> 'DestinationCidrBlock')::cidr = c.requester_cidr_block
    )
  group by
  r ->> 'VpcPeeringConnectionId'
)
select
  'arn:' || c.partition || ':ec2:' || c.region || ':' || c.account_id || ':vpc-peering-connection/' || c.id as resource,
  case
    when t.peering_connection_id is not null then 'alarm'
    else 'ok'
  end as status,
  case
    when t.peering_connection_id is not null then c.title || ' does not have least privilege access.'
    else c.title || ' has least privilege access.'
  end as reason
  
  , region, account_id
from
  aws_vpc_peering_connection as c
  left join vpc_peering_routing_tables as t on t.peering_connection_id = c.id;

Control: VPCs peering connection route tables should have least privilege

Description

Usage

SQL

Tags