Control: ECR repository policy should prohibit public access
Description
Ensure ECR repository associated policy prohibits public access.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.ecr_repository_policy_prohibit_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.ecr_repository_policy_prohibit_public_access --shareSQL
This control uses a named query:
with ecr_non_public_policies as ( select distinct (address ) as name from terraform_resource, jsonb_array_elements( case when ((attributes_std ->> 'policy') = '') then null else ((attributes_std ->> 'policy')::jsonb -> 'Statement') end ) as s where type = 'aws_ecr_repository_policy' and ( ((s ->> 'Principal') != '*') or ((s -> 'Condition' -> 'StringEquals' ->> 'aws:PrincipalOrgID') is not null) or ((s -> 'Condition' -> 'ForAllValues:StringEquals' ->> 'aws:PrincipalOrgID') is not null) or ((s -> 'Condition' -> 'ForAnyValue:StringEquals' ->> 'aws:PrincipalOrgID') is not null) ))select b.address as resource, case when (attributes_std ->> 'policy') = '' then 'ok' when d.name is not null then 'ok' else 'alarm' end status, split_part(b.address, '.', 2) || case when (attributes_std ->> 'policy') = '' then ' no policy defined' when d.name is not null then ' not public' else ' public' end || '.' reason , path || ':' || start_linefrom terraform_resource as b left join ecr_non_public_policies as d on d.name = b.addresswhere type = 'aws_ecr_repository_policy';