Control: SNS topic policies should prohibit public access

Description

Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot be publicly accessed.

Usage

Run the control in your terminal:

powerpipe control run terraform_aws_compliance.control.sns_topic_policy_restrict_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_aws_compliance.control.sns_topic_policy_restrict_public_access --share

SQL

This control uses a named query:

 with sns_topic_public_policies as (
  select
    distinct (address ) as name
  from
    terraform_resource,
    jsonb_array_elements(
      case when ((attributes_std ->> 'policy') = '')
        then null
        else ((attributes_std ->> 'policy')::jsonb -> 'Statement') end
    ) as s
  where
    type = 'aws_sns_topic_policy'
    and (s ->> 'Effect') = 'Allow'
    and (
      (s ->> 'Principal') = '*'
      or (s -> 'Principal' ->> 'AWS') = '*'
      or (s -> 'Principals' -> 'AWS') @> '["*"]'
      or (s -> 'Principals' -> '*') @> '["*"]'
    )
)
select
  r.address as resource,
  case
    when (attributes_std ->> 'policy') = '' then 'ok'
    when p.name is null then 'ok'
    else 'alarm'
  end status,
  split_part(r.address, '.', 2) || case
    when (attributes_std ->> 'policy') = '' then ' no policy defined'
    when p.name is null then ' not publicly accessible'
    else ' publicly accessible'
  end || '.' reason
  , path || ':' || start_line
from
  terraform_resource as r
  left join sns_topic_public_policies as p on p.name = r.address
where
  r.type = 'aws_sns_topic_policy';

Control: SNS topic policies should prohibit public access

Description

Usage

SQL

Tags