Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-perimeter
Overview
3Dashboards
62Benchmarks
0Queries
5Variables
GitHub

Control: Resources shared through RAM should only be shared with trusted OUs

Description

AWS Resource Access Manager (RAM) helps you securely share your resources across AWS accounts, organizational units (OUs), and organizations for supported resource types. Check if you share resources with an account that is not part of the trusted list of OUs.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.ram_resource_shared_with_trusted_organization_units

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.ram_resource_shared_with_trusted_organization_units --share

Steampipe Tables

aws_ram_principal_association
aws_ram_resource_association
Amazon Web Services plugin

SQL

with ram_shared_resources as (
  select distinct
    rsa.associated_entity as "shared_resource",
    rpa.associated_entity as "shared_with_organization_unit",
    rsa.status,
    rsa.region,
    rsa.account_id,
    rsa._ctx,
    split_part((rpa.associated_entity), '/', 1)
  from
    aws_ram_resource_association as rsa
    inner join aws_ram_principal_association as rpa on rsa.resource_share_name = rpa.resource_share_name
  where
    rsa.status <> 'FAILED' and rpa.status <> 'FAILED'
    and split_part((rpa.associated_entity), '/', 1) like '%:ou'
),
shared_data as (
  select
    (regexp_split_to_array(shared_resource, ':'))[6] as resource,
    to_jsonb(string_to_array(string_agg(split_part(shared_with_organization_unit, '/', 3), ','), ',', '')) - ($1)::text[] as untrusted_organizations_unit,
    region,
    _ctx,
    account_id
  FROM
    ram_shared_resources
  group by
    shared_resource,
    region,
    _ctx,
    account_id
)
select
  resource,
  case
    when jsonb_array_length(untrusted_organizations_unit) > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when jsonb_array_length(untrusted_organizations_unit) > 0 then
      resource ||
      case
        when jsonb_array_length(untrusted_organizations_unit) > 2 then
          concat( ' shared with untrusted OUs ' ,untrusted_organizations_unit #>> '{0}', ', ', untrusted_organizations_unit #>> '{1}', ' and ', (jsonb_array_length(untrusted_organizations_unit) - 2)::text, ' more.')
        when jsonb_array_length(untrusted_organizations_unit) = 2 then concat(' shared with untrusted OUs ', untrusted_organizations_unit #>> '{0}', ', ', untrusted_organizations_unit #>> '{1}', '.')
        else concat(' shared with untrusted OU ', untrusted_organizations_unit #>> '{0}', '.')
      end
    else resource || ' shared with trusted OU(s).'
  end as reason
  , region, account_id
from
  shared_data;

Params

ArgsNameDefaultDescriptionVariable
$1trusted_organization_units
["ou-abcdek7fks","ou-123def789"]
A list of trusted organization units.

Tags

category = Perimeter
plugin = aws
service = AWS/RAM