Powerpipe MCP Server →

Plugins Docs Home

turbot/steampipe-mod-terraform-aws-compliance

acm_certificate_create_before_destroy_enabled acm_certificate_transparency_logging_enabled apigateway_deployment_create_before_destroy_enabled apigateway_domain_name_use_latest_tls apigateway_method_restricts_open_access apigateway_method_settings_cache_enabled apigateway_method_settings_cache_encryption_enabled apigateway_method_settings_data_trace_enabled apigateway_rest_api_create_before_destroy_enabled apigateway_rest_api_stage_use_ssl_certificate apigateway_rest_api_stage_xray_tracing_enabled apigateway_stage_cache_encryption_at_rest_enabled apigateway_stage_logging_enabled apigatewayv2_route_set_authorization_type appflow_connector_profile_encrypted_with_kms_cmk appflow_flow_encrypted_with_kms_cmk appsync_api_cache_encryption_at_rest_enabled appsync_api_cache_encryption_in_transit_enabled appsync_graphql_api_cloudwatch_logs_enabled appsync_graphql_api_field_level_logs_enabled athena_database_encryption_at_rest_enabled athena_workgroup_encryption_at_rest_enabled athena_workgroup_enforce_workgroup_configuration autoscaling_group_tagging_enabled autoscaling_group_uses_launch_template autoscaling_group_with_lb_use_health_check autoscaling_launch_config_public_ip_disabled backup_plan_min_retention_35_days backup_vault_encryption_at_rest_enabled cloudformation_stack_notifications_enabled cloudfront_distribution_configured_with_origin_failover cloudfront_distribution_default_root_object_configured cloudfront_distribution_enabled cloudfront_distribution_encryption_in_transit_enabled cloudfront_distribution_logging_enabled cloudfront_distribution_origin_access_identity_enabled cloudfront_distribution_waf_enabled cloudfront_protocol_version_is_low cloudfront_response_header_use_strict_transport_policy_setting cloudsearch_domain_enforced_https_enabled cloudsearch_domain_uses_latest_tls_version cloudtrail_enabled_all_regions cloudtrail_event_data_store_encrypted_with_kms_cmk cloudtrail_trail_logs_encrypted_with_kms_cmk cloudtrail_trail_sns_topic_enabled cloudtrail_trail_validation_enabled cloudwatch_alarm_action_enabled cloudwatch_destination_policy_wildcards cloudwatch_log_group_retention cloudwatch_log_group_retention_period_365 codeartifact_domain_encrypted_with_kms_cmk codebuild_project_encryption_at_rest_enabled codebuild_project_logging_enabled codebuild_project_plaintext_env_variables_no_sensitive_aws_values codebuild_project_privileged_mode_disabled codebuild_project_s3_logs_encryption_enabled codebuild_project_source_repo_oauth_configured codecommit_approval_rule_template_number_of_approval_2 codepipeline_artifacts_encrypted_with_kms_cmk comprehend_entity_recognizer_model_encrypted_with_kms_cmk comprehend_entity_recognizer_volume_encrypted_with_kms_cmk config_aggregator_enabled_all_regions connect_instance_kinesis_video_stream_storage_config_encrypted_with_kms_cmk connect_instance_s3_storage_config_encrypted_with_kms_cmk datasync_location_object_storage_expose_secret dax_cluster_encryption_at_rest_enabled dax_cluster_endpoint_encryption_tls_enabled dlm_lifecycle_policy_events_cross_region_encrypted_with_kms_cmk dlm_lifecycle_policy_events_cross_region_encryption_enabled dlm_schedule_cross_region_encrypted_with_kms_cmk dlm_schedule_cross_region_encryption_enabled dms_replication_instance_automatic_minor_version_upgrade_enabled dms_replication_instance_encrypted_with_kms_cmk dms_replication_instance_not_publicly_accessible dms_s3_endpoint_encrypted_with_kms_cmk docdb_cluster_audit_logs_enabled docdb_cluster_backup_retention_period_7 docdb_cluster_encrypted_with_kms docdb_cluster_log_exports_enabled docdb_cluster_paramater_group_logging_enabled docdb_cluster_parameter_group_tls_enabled docdb_global_cluster_encrypted dynamodb_table_encrypted_with_kms_cmk dynamodb_table_encryption_enabled dynamodb_table_point_in_time_recovery_enabled dynamodb_vpc_endpoint_routetable_association ebs_snapshot_copy_encrypted_with_kms_cmk ebs_volume_encryption_at_rest_enabled ec2_ami_copy_encrypted_with_kms_cmk ec2_ami_copy_encryption_enabled ec2_ami_encryption_enabled ec2_ami_imagebuilder_component_encrypted_with_kms_cmk ec2_ami_imagebuilder_distribution_configuration_encrypted_with_kms_cmk ec2_ami_imagebuilder_image_recipe_encrypted_with_kms_cmk ec2_ami_launch_permission_restricted ec2_classic_lb_connection_draining_enabled ec2_ebs_default_encryption_enabled ec2_instance_detailed_monitoring_enabled ec2_instance_ebs_encryption_check ec2_instance_ebs_optimized ec2_instance_not_publicly_accessible ec2_instance_not_use_default_vpc ec2_instance_not_use_multiple_enis ec2_instance_termination_protection_enabled ec2_instance_user_data_no_secrets ec2_instance_uses_imdsv2 ec2_launch_configuration_ebs_encryption_check ec2_launch_configuration_metadata_hop_limit_check ec2_launch_template_metadata_hop_limit_check ecr_repository_encrypted_with_kms ecr_repository_policy_prohibit_public_access ecr_repository_tags_immutable ecr_repository_use_image_scanning ecs_cluster_container_insights_enabled ecs_cluster_logging_enabled ecs_cluster_logging_encrypted_with_kms_cmk ecs_service_fargate_uses_latest_version ecs_task_definition_container_non_privileged ecs_task_definition_container_readonly_root_filesystem ecs_task_definition_encryption_in_transit_enabled ecs_task_definition_no_host_pid_mode ecs_task_definition_role_check efs_access_point_has_root_directory efs_access_point_has_user_identity efs_file_system_automatic_backups_enabled efs_file_system_encrypt_data_at_rest efs_file_system_encrypted_with_kms_cmk eks_cluster_control_plane_logging_enabled eks_cluster_endpoint_restrict_public_access eks_cluster_log_types_enabled eks_cluster_node_group_ssh_access_from_internet eks_cluster_run_on_supported_kubernetes_version eks_cluster_secrets_encrypted elasticache_cluster_has_subnet_group elasticache_redis_cluster_auto_minor_version_upgrade elasticache_redis_cluster_automatic_backup_retention_15_days elasticache_replication_group_encrypted_with_kms_cmk elasticache_replication_group_encryption_at_rest_enabled elasticache_replication_group_encryption_in_transit_enabled elasticache_replication_group_encryption_in_transit_enabled_auth_token elasticbeanstalk_environment_use_enhanced_health_checks elasticbeanstalk_environment_use_managed_updates elb_application_classic_network_lb_logging_enabled elb_application_lb_deletion_protection_enabled elb_application_lb_drop_http_headers elb_application_lb_drop_invalid_header_fields elb_application_lb_waf_enabled elb_application_network_gateway_lb_cross_zone_load_balancing_enabled elb_application_network_gateway_lb_use_desync_mitigation_mode elb_classic_lb_cross_zone_load_balancing_enabled elb_classic_lb_use_desync_mitigation_mode elb_classic_lb_use_ssl_certificate elb_classic_lb_use_tls_https_listeners elb_lb_target_group_use_health_check elb_lb_use_secure_protocol_listener emr_cluster_kerberos_enabled emr_cluster_security_configuration_ebs_encryption_enabled emr_cluster_security_configuration_encryption_in_transit_enabled emr_cluster_security_configuration_encryption_uses_sse_kms emr_cluster_security_configuration_local_disk_encryption_enabled es_domain_audit_logging_enabled es_domain_data_nodes_min_3 es_domain_dedicated_master_nodes_min_3 es_domain_encrypted_using_tls_1_2 es_domain_encrypted_with_kms_cmk es_domain_encryption_at_rest_enabled es_domain_enforce_https es_domain_error_logging_enabled es_domain_in_vpc es_domain_logs_to_cloudwatch es_domain_node_to_node_encryption_enabled es_domain_use_default_security_group eventbridge_scheduler_schedule_encrypted_with_kms_cmk fsx_lustre_file_system_encrypted_with_kms_cmk fsx_ontap_file_system_encrypted_with_kms_cmk fsx_openzfs_file_system_encrypted_with_kms_cmk fsx_windows_file_system_encrypted_with_kms_cmk glacier_vault_restrict_public_access globalaccelerator_flow_logs_enabled glue_crawler_security_configuration_enabled glue_data_catalog_encryption_enabled glue_dev_endpoint_security_configuration_enabled glue_job_security_configuration_enabled glue_security_configuration_encryption_enabled guardduty_enabled iam_account_password_policy_min_length_14 iam_account_password_policy_one_lowercase_letter iam_account_password_policy_one_number iam_account_password_policy_one_symbol iam_account_password_policy_one_uppercase_letter iam_account_password_policy_reuse_24 iam_account_password_policy_strong iam_account_password_policy_strong_min_length_8 iam_password_policy_expire_90 kendra_index_server_side_encryption_uses_kms_cmk keyspaces_table_encrypted_with_kms_cmk kinesis_firehose_delivery_stream_encrypted_with_kms_cmk kinesis_firehose_delivery_stream_server_side_encryption_enabled kinesis_stream_encrypted_with_kms_cmk kinesis_stream_encryption_at_rest_enabled kinesis_video_stream_encrypted_with_kms_cmk kms_cmk_rotation_enabled lambda_function_code_signing_configured lambda_function_concurrent_execution_limit_configured lambda_function_dead_letter_queue_configured lambda_function_environment_encryption_enabled lambda_function_in_vpc lambda_function_url_auth_type_configured lambda_function_use_latest_runtime lambda_function_variables_no_sensitive_data lambda_function_xray_tracing_enabled lambda_permission_restricted_service_permission log_group_encryption_at_rest_enabled memorydb_cluster_encrypted_with_kms_cmk memorydb_cluster_transit_encryption_enabled memorydb_snapshot_encrypted_with_kms_cmk mq_broker_audit_logging_enabled mq_broker_automatic_minor_upgrade_enabled mq_broker_currect_broker_version mq_broker_encrypted_with_kms_cmk mq_broker_general_logging_enabled mq_broker_publicly_accessible msk_cluster_encrypted_with_kms_cmk msk_cluster_encryption_in_transit_enabled msk_cluster_logging_enabled msk_cluster_nodes_publicly_accessible mwaa_environment_scheduler_logs_enabled mwaa_environment_webserver_logs_enabled mwaa_environment_worker_logs_enabled neptune_cluster_backup_retention_period_7 neptune_cluster_copy_tags_to_snapshot_enabled neptune_cluster_encrypted_with_kms_cmk neptune_cluster_encryption_at_rest_enabled neptune_cluster_iam_authentication_enabled neptune_cluster_instance_publicly_accessible neptune_cluster_logging_enabled neptune_snapshot_encrypted_with_kms_cmk neptune_snapshot_storage_encryption_enabled opensearch_domain_encrpted_with_kms_cmk opensearch_domain_enforce_https opensearch_domain_use_default_security_group qldb_ledger_deletion_protection_enabled qldb_ledger_permission_mode_set_to_standard rds_cluster_activity_stream_encrypted_with_kms_cmk rds_db_cluster_aurora_backtracking_enabled rds_db_cluster_copy_tags_to_snapshot_enabled rds_db_cluster_deletion_protection_enabled rds_db_cluster_encrypted_with_kms_cmk rds_db_cluster_encryption_enabled rds_db_cluster_events_subscription rds_db_cluster_iam_authentication_enabled rds_db_cluster_instance_automatic_minor_version_upgrade_enabled rds_db_cluster_instance_performance_insights_enabled rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk rds_db_cluster_multiple_az_enabled rds_db_instance_and_cluster_enhanced_monitoring_enabled rds_db_instance_and_cluster_no_default_port rds_db_instance_automatic_minor_version_upgrade_enabled rds_db_instance_backup_enabled rds_db_instance_copy_tags_to_snapshot_enabled rds_db_instance_deletion_protection_enabled rds_db_instance_encryption_at_rest_enabled rds_db_instance_events_subscription rds_db_instance_iam_authentication_enabled rds_db_instance_logging_enabled rds_db_instance_multiple_az_enabled rds_db_instance_performance_insights_enabled rds_db_instance_performance_insights_encrypted_with_kms_cmk rds_db_instance_prohibit_public_access rds_db_instance_uses_recent_ca_certificate rds_db_parameter_group_events_subscription rds_db_security_group_events_subscription rds_db_snapshot_copy_encrypted_with_kms_cmk rds_db_snapshot_not_publicly_accesible rds_global_cluster_encryption_enabled rds_mysql_db_cluster_audit_logging_enabled redshift_cluster_automatic_snapshots_min_7_days redshift_cluster_automatic_upgrade_major_versions_enabled redshift_cluster_deployed_in_ec2_classic_mode redshift_cluster_encryption_enabled redshift_cluster_encryption_logging_enabled redshift_cluster_enhanced_vpc_routing_enabled redshift_cluster_kms_enabled redshift_cluster_logging_enabled redshift_cluster_maintenance_settings_check redshift_cluster_no_default_database_name redshift_cluster_prohibit_public_access redshift_serverless_namespace_encrypted_with_kms_cmk redshift_snapshot_copy_grant_encrypted_with_kms_cmk s3_bucket_abort_incomplete_multipart_upload_enabled s3_bucket_block_public_policy_enabled s3_bucket_cross_region_replication_enabled s3_bucket_default_encryption_enabled s3_bucket_default_encryption_enabled_kms s3_bucket_ignore_public_acls_enabled s3_bucket_logging_enabled s3_bucket_mfa_delete_enabled s3_bucket_object_copy_encrypted_with_kms_cmk s3_bucket_object_encrypted_with_kms_cmk s3_bucket_object_lock_enabled s3_bucket_public_access_blocked s3_bucket_versioning_enabled s3_public_access_block_account sagemaker_domain_encrypted_with_kms_cmk sagemaker_endpoint_configuration_encryption_at_rest_enabled sagemaker_notebook_instance_direct_internet_access_disabled sagemaker_notebook_instance_encryption_at_rest_enabled sagemaker_notebook_instance_in_vpc sagemaker_notebook_instance_root_access_disabled secretsmanager_secret_automatic_rotation_enabled secretsmanager_secret_automatic_rotation_lambda_enabled secretsmanager_secret_encrypted_with_kms_cmk ses_configuration_set_tls_enforced sfn_state_machine_execution_history_logging_enabled sfn_state_machine_xray_tracing_enabled sns_topic_encrypted_at_rest sns_topic_policy_restrict_public_access sqs_queue_encrypted_at_rest sqs_queue_policy_no_action_star sqs_queue_policy_no_principal_star sqs_vpc_endpoint_without_dns_resolution ssm_document_prohibit_public_access ssm_parameter_encrypted_with_kms_cmk timestream_database_encrypted_with_kms_cmk vpc_default_security_group_restricts_all_traffic vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled vpc_eip_associated vpc_endpoint_service_acceptance_enabled vpc_flow_logs_enabled vpc_igw_attached_to_authorized_vpc vpc_network_acl_allow_ftp_port_20_ingress vpc_network_acl_allow_ftp_port_21_ingress vpc_network_acl_allow_rdp_port_3389_ingress vpc_network_acl_allow_ssh_port_22_ingress vpc_network_acl_rule_restrict_ingress_ports_all vpc_network_acl_unused vpc_network_firewall_deletion_protection_enabled vpc_network_firewall_encrypted_with_kms_cmk vpc_network_firewall_policy_encrypted_with_kms_cmk vpc_network_firewall_rule_group_encrypted_with_kms_cmk vpc_security_group_associated_to_eni vpc_security_group_description_for_rules vpc_security_group_restrict_ingress_rdp_all vpc_security_group_restrict_ingress_ssh_all vpc_security_group_rule_description_for_rules vpc_subnet_auto_assign_public_ip_disabled vpc_transfer_server_allows_only_secure_protocols vpc_transfer_server_not_publicly_accesible waf_regional_web_acl_logging_enabled waf_regional_web_acl_rule_attached waf_regional_web_acl_rule_with_action waf_web_acl_logging_enabled waf_web_acl_rule_attached waf_web_acl_rule_with_action wafv2_web_acl_rule_attached workspace_root_volume_encryption_at_rest_enabled workspace_user_volume_encryption_at_rest_enabled

Query: ecs_task_definition_container_readonly_root_filesystem

Usage

powerpipe query terraform_aws_compliance.query.ecs_task_definition_container_readonly_root_filesystem

Steampipe Tables

terraform_resource

Terraform plugin

SQL

with task_with_readonly_root_filesystem as (
  select
    distinct (address ) as name
  from
    terraform_resource,
    jsonb_array_elements(
      case when ((attributes_std ->> 'container_definitions') = '')
        then null
        else (attributes_std ->> 'container_definitions')::jsonb end
    ) as s where (s ->> 'ReadonlyRootFilesystem')::boolean and type = 'aws_ecs_task_definition'
  )
  select
    r.address as resource,
    case
      when p.name is not null then 'ok'
      else 'alarm'
    end status,
    split_part(r.address, '.', 2) || case
      when p.name is not null then ' containers limited to read-only access to root filesystems'
      else ' containers not limited to read-only access to root filesystems'
    end || '.' reason
    
    , path || ':' || start_line
  from
    terraform_resource as r
    left join task_with_readonly_root_filesystem as p on p.name = r.address
  where
    type = 'aws_ecs_task_definition';

Controls

The query is being used by the following controls:

ECS containers should be limited to read-only access to root filesystems