turbot/steampipe-mod-aws-compliance

Query: s3_bucket_enforces_ssl

Usage

powerpipe query aws_compliance.query.s3_bucket_enforces_ssl

Steampipe Tables

SQL

with ssl_ok as (
select
distinct b.name,
b.arn,
'ok' as status
from
aws_s3_bucket b,
jsonb_array_elements(b.policy_std -> 'Statement') as s,
jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
jsonb_array_elements_text(s -> 'Action') as a,
jsonb_array_elements_text(s -> 'Resource') as r,
jsonb_array_elements_text (
case
when (s -> 'Condition' -> 'NumericLessThan' -> 's3:tlsversion') is not null then (s -> 'Condition' -> 'NumericLessThan' -> 's3:tlsversion')
when (s -> 'Condition' -> 'Bool' -> 'aws:securetransport') is not null then (s -> 'Condition' -> 'Bool' -> 'aws:securetransport')
else null end
) as ssl
where
p = '*'
and s ->> 'Effect' = 'Deny'
and (ssl = '1.2' or ssl :: bool = false)
)
select
b.arn as resource,
case
when ok.status = 'ok' then 'ok'
else 'alarm'
end status,
case
when ok.status = 'ok' then b.name || ' bucket policy enforces HTTPS.'
else b.name || ' bucket policy does not enforce HTTPS.'
end reason
, b.region, b.account_id
from
aws_s3_bucket as b
left join ssl_ok as ok on ok.name = b.name;

Controls

The query is being used by the following controls: