Control: Ensure CloudWatch Logs destination policy has no wildcards
Description
Amazon CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.cloudwatch_destination_policy_wildcardsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.cloudwatch_destination_policy_wildcards --shareSQL
This control uses a named query:
with access_policy as ( select name from terraform_data_source where type = 'aws_iam_policy_document' and (arguments -> 'statement' ->> 'actions') like '%*%'), cloudwatch_log_destination_policy as ( select name, type, address, path, start_line, _ctx, split_part((attributes_std ->> 'access_policy')::text, '.', 3) as ap from terraform_resource where type = 'aws_cloudwatch_log_destination_policy')select a.address as resource, case when e.name is null then 'ok' else 'alarm' end as status, split_part(a.address, '.', 2) || case when e.name is null then ' policy is ok' else ' policy is not ok' end || '.' as reason , path || ':' || start_linefrom cloudwatch_log_destination_policy as a left join access_policy as e on a.ap = e.name;