turbot/terraform_aws_compliance

Query: cloudfront_distribution_origin_access_identity_enabled

Usage

powerpipe query terraform_aws_compliance.query.cloudfront_distribution_origin_access_identity_enabled

Steampipe Tables

SQL

with cloudfront_distribution as (
select
*
from
terraform_resource
where
type = 'aws_cloudfront_distribution'
), origin_type as (
select
distinct address
from
cloudfront_distribution,
jsonb_array_elements(
case jsonb_typeof(attributes_std -> 'origin')
when 'array' then (attributes_std -> 'origin')
else null end
) as o
where
(o ->> 'domain_name' ) like '%aws_s3_bucket%'
group by address
),origins as (
select
count(*),
address
from
cloudfront_distribution,
jsonb_array_elements(
case jsonb_typeof(attributes_std -> 'origin')
when 'array' then (attributes_std -> 'origin')
else null end
) as o
where
(o ->> 'domain_name' ) like '%aws_s3_bucket%'
and(
(o -> 's3_origin_config' ->> 'origin_access_identity') = ''
or (o -> 's3_origin_config' ) is null
)
group by address
)
select
a.address as resource,
case
when (attributes_std -> 'origin') is null then 'alarm'
when (attributes_std -> 'origin' ->> 'domain_name' ) like '%aws_s3_bucket%' and (( not((attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity') = '')) and (attributes_std -> 'origin' -> 's3_origin_config' -> 'origin_access_identity') is not null) then 'ok'
when (attributes_std -> 'origin' ->> 'domain_name' ) like '%aws_s3_bucket%' and (((attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity') = '') or ((attributes_std -> 'origin' -> 's3_origin_config') is null)) then 'alarm'
when b.address is not null then 'alarm'
when (t.address is null ) and ((attributes_std -> 'origin' ->> 'domain_name') not like '%aws_s3_bucket%') then 'skip'
else 'ok'
end as status,
split_part(a.address, '.', 2) || case
when (attributes_std -> 'origin') is null then ' origins not defined'
when (attributes_std -> 'origin' ->> 'domain_name' ) like '%aws_s3_bucket%' and (( not((attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity') = '')) and (attributes_std -> 'origin' -> 's3_origin_config' -> 'origin_access_identity') is not null) then ' origin access identity configured'
when (attributes_std -> 'origin' ->> 'domain_name' ) like '%aws_s3_bucket%' and (((attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity') = '') or ((attributes_std -> 'origin' -> 's3_origin_config') is null)) then ' origin access identity not configured'
when b.address is not null then ' origin access identity not configured'
when (t.address is null ) and ((attributes_std -> 'origin' ->> 'domain_name') not like '%aws_s3_bucket%') then ' origin type is not S3'
else ' origin access identity configured'
end || '.' reason
, path || ':' || start_line
from
cloudfront_distribution as a
left join origin_type as t on a.address = t.address
left join origins as b on a.address = b.address;

Controls

The query is being used by the following controls: