turbot/terraform_aws_compliance

Query: ecr_repository_policy_prohibit_public_access

Usage

powerpipe query terraform_aws_compliance.query.ecr_repository_policy_prohibit_public_access

Steampipe Tables

SQL

with ecr_non_public_policies as (
select
distinct (address) as name
from
terraform_resource,
jsonb_array_elements(
case
when ((attributes_std ->> 'policy') = '') then null
else ((attributes_std ->> 'policy') :: jsonb -> 'Statement')
end
) as s
where
type = 'aws_ecr_repository_policy'
and (
((s ->> 'Principal') != '*')
or (
(
s -> 'Condition' -> 'StringEquals' ->> 'aws:PrincipalOrgID'
) is not null
)
or (
(
s -> 'Condition' -> 'ForAllValues:StringEquals' ->> 'aws:PrincipalOrgID'
) is not null
)
or (
(
s -> 'Condition' -> 'ForAnyValue:StringEquals' ->> 'aws:PrincipalOrgID'
) is not null
)
)
)
select
b.address as resource,
case
when (attributes_std ->> 'policy') = '' then 'ok'
when d.name is not null then 'ok'
else 'alarm'
end status,
split_part(b.address, '.', 2) || case
when (attributes_std ->> 'policy') = '' then ' no policy defined'
when d.name is not null then ' not public'
else ' public'
end || '.' reason,
path || ':' || start_line
from
terraform_resource as b
left join ecr_non_public_policies as d on d.name = b.address
where
type = 'aws_ecr_repository_policy';

Controls

The query is being used by the following controls: