Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-terraform-aws-compliance
Overview
69Dashboards
357Benchmarks
357Queries
2Variables
GitHub

Control: Ensure CloudWatch Logs destination policy has no wildcards

Description

Amazon CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'.

Usage

Run the control in your terminal:

powerpipe control run terraform_aws_compliance.control.cloudwatch_destination_policy_wildcards

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_aws_compliance.control.cloudwatch_destination_policy_wildcards --share

SQL

This control uses a named query:

with access_policy as (
  select
    name
  from
    terraform_data_source
  where
    type = 'aws_iam_policy_document'
    and (arguments -> 'statement' ->> 'actions') like '%*%'
), cloudwatch_log_destination_policy as (
  select
    name,
    type,
    address,
    path,
    start_line,
    _ctx,
    split_part((attributes_std ->> 'access_policy')::text, '.', 3) as ap
  from
    terraform_resource
  where
    type = 'aws_cloudwatch_log_destination_policy'
)
select
  a.address as resource,
  case
    when e.name is null then 'ok'
    else 'alarm'
  end as status,
  split_part(a.address, '.', 2) || case
    when e.name is null then ' policy is ok'
    else ' policy is not ok'
  end || '.' as reason
  , path || ':' || start_line
from
  cloudwatch_log_destination_policy as a
  left join access_policy as e on a.ap = e.name;

Tags

category = Compliance
plugin = terraform
service = AWS/CloudWatch