Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-perimeter
Overview
3Dashboards
62Benchmarks
0Queries
5Variables
GitHub

Control: RDS DB snapshots should only be shared with trusted accounts

Description

This control checks whether RDS DB snapshots access is restricted to trusted accounts.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.rds_db_snapshot_shared_with_trusted_accounts

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.rds_db_snapshot_shared_with_trusted_accounts --share

Steampipe Tables

aws_rds_db_cluster_snapshot
aws_rds_db_snapshot
AWS plugin

SQL

(with shared_cluster_snapshot_data as (
  select
    arn,
    title,
    (cluster_snapshot ->> 'AttributeValues')::jsonb as shared_accounts,
    (cluster_snapshot ->> 'AttributeValues')::jsonb - ($1)::text[] as untrusted_accounts,
    region,
    _ctx,
    tags,
    account_id
  from
    aws_rds_db_cluster_snapshot,
    jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot
)
select
  arn as resource,
  case
    when jsonb_array_length(untrusted_accounts) > 0 then 'info'
    else 'ok'
  end status,
  case
    when untrusted_accounts #>> '{0}' = 'all' then title || ' publicly restorable.'
    when jsonb_array_length(untrusted_accounts) > 0 and untrusted_accounts #>> '{0}' != 'all'
    then title ||
  case
    when jsonb_array_length(untrusted_accounts) > 2
    then concat(' shared with untrusted accounts ', untrusted_accounts #>> '{0}', ', ', untrusted_accounts #>> '{1}', ' and ' || (jsonb_array_length(untrusted_accounts) - 2)::text || ' more.' )
    when jsonb_array_length(untrusted_accounts) = 2
    then concat(' shared with untrusted accounts ', untrusted_accounts #>> '{0}', ' and ', untrusted_accounts #>> '{1}', '.')
    else concat(' shared with untrusted account ', untrusted_accounts #>> '{0}', '.')
  end
    else
      case
        when shared_accounts is null then title || ' is not shared.'
        else title || ' shared with trusted account(s).'
      end
  end reason
  
  , region, account_id
from
  shared_cluster_snapshot_data)


union


( with shared_db_snapshot_data as (
  select
    arn,
    title,
    (database_snapshot ->> 'AttributeValues')::jsonb as shared_accounts,
    (database_snapshot ->> 'AttributeValues')::jsonb - ($1)::text[] as untrusted_accounts,
    region,
    _ctx,
    tags,
    account_id
  from
    aws_rds_db_snapshot,
    jsonb_array_elements(db_snapshot_attributes) as database_snapshot
)
select
  arn as resource,
  case
    when jsonb_array_length(untrusted_accounts) > 0 then 'info'
    else 'ok'
  end status,
  case
    when untrusted_accounts #>> '{0}' = 'all'
    then title || ' publicly restorable.'
    when jsonb_array_length(untrusted_accounts) > 0 and untrusted_accounts #>> '{0}' != 'all'
    then title ||
  case
    when jsonb_array_length(untrusted_accounts) > 2
    then concat(' shared with untrusted accounts ', untrusted_accounts #>> '{0}', ', ', untrusted_accounts #>> '{1}', ' and ' || (jsonb_array_length(untrusted_accounts) - 2)::text || ' more.' )
    when jsonb_array_length(untrusted_accounts) = 2
    then concat(' shared with untrusted accounts ', untrusted_accounts #>> '{0}', ' and ', untrusted_accounts #>> '{1}')
    else concat(' shared with untrusted account ', untrusted_accounts #>> '{0}', '.')
  end
    else
      case
        when shared_accounts is null then title || ' is not shared.'
        else title || ' shared with trusted account(s).'
      end
  end reason
  
  , region, account_id
from
  shared_db_snapshot_data);

Params

ArgsNameDefaultDescriptionVariable
$1trusted_accounts
["123456781234","123456781200"]
A list of trusted accounts.

Tags

category = Perimeter
plugin = aws
service = AWS/RDS