turbot/steampipe-mod-aws-compliance

Query: inspector_ecr_scanning_enabled

Usage

powerpipe query aws_compliance.query.inspector_ecr_scanning_enabled

SQL

select
'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,
case
when r.steampipe_available = false then 'skip'
when ecr_auto_enable then 'ok'
when c.account_id is not null and (not ecr_auto_enable or ec2_auto_enable is null ) then 'alarm'
else 'alarm'
end status,
case
when r.steampipe_available = false then r.region || ' is not available in the current connection configuration.'
when ec2_auto_enable then 'AWS Inspector ECR scanning enabled for region ' || c.region || '(' || c.account_id || ').'
when c.account_id is not null and (not ec2_auto_enable and ec2_auto_enable is null) then 'AWS Inspector ECR scanning disabled for region ' || r.region || '(' || r.account_id || ').'
else 'AWS Inspector deactivated for region ' || r.region || '(' || r.account_id || ').'
end as reason
, r.region, r.account_id
from
aws_region as r
left join aws_inspector2_organization_configuration as c on r.account_id = c.account_id and r.region = c.region;

Controls

The query is being used by the following controls: