turbot/terraform_aws_compliance

Query: ecr_repository_policy_prohibit_public_access

Usage

powerpipe query terraform_aws_compliance.query.ecr_repository_policy_prohibit_public_access

Steampipe Tables

SQL

with ecr_non_public_policies as (
select
distinct (address ) as name
from
terraform_resource,
jsonb_array_elements(
case when ((attributes_std ->> 'policy') = '')
then null
else ((attributes_std ->> 'policy')::jsonb -> 'Statement') end
) as s
where
type = 'aws_ecr_repository_policy'
and (
((s ->> 'Principal') != '*')
or ((s -> 'Condition' -> 'StringEquals' ->> 'aws:PrincipalOrgID') is not null)
or ((s -> 'Condition' -> 'ForAllValues:StringEquals' ->> 'aws:PrincipalOrgID') is not null)
or ((s -> 'Condition' -> 'ForAnyValue:StringEquals' ->> 'aws:PrincipalOrgID') is not null)
)
)
select
b.address as resource,
case
when (attributes_std ->> 'policy') = '' then 'ok'
when d.name is not null then 'ok'
else 'alarm'
end status,
split_part(b.address, '.', 2) || case
when (attributes_std ->> 'policy') = '' then ' no policy defined'
when d.name is not null then ' not public'
else ' public'
end || '.' reason
, path || ':' || start_line
from
terraform_resource as b
left join ecr_non_public_policies as d on d.name = b.address
where
type = 'aws_ecr_repository_policy';

Controls

The query is being used by the following controls: