turbot/terraform_aws_compliance

Query: sns_topic_policy_restrict_public_access

Usage

powerpipe query terraform_aws_compliance.query.sns_topic_policy_restrict_public_access

Steampipe Tables

SQL

with sns_topic_public_policies as (
select
distinct (address ) as name
from
terraform_resource,
jsonb_array_elements(
case when ((attributes_std ->> 'policy') = '')
then null
else ((attributes_std ->> 'policy')::jsonb -> 'Statement') end
) as s
where
type = 'aws_sns_topic_policy'
and (s ->> 'Effect') = 'Allow'
and (
(s ->> 'Principal') = '*'
or (s -> 'Principal' ->> 'AWS') = '*'
or (s -> 'Principals' -> 'AWS') @> '["*"]'
or (s -> 'Principals' -> '*') @> '["*"]'
)
)
select
r.address as resource,
case
when (attributes_std ->> 'policy') = '' then 'ok'
when p.name is null then 'ok'
else 'alarm'
end status,
split_part(r.address, '.', 2) || case
when (attributes_std ->> 'policy') = '' then ' no policy defined'
when p.name is null then ' not publicly accessible'
else ' publicly accessible'
end || '.' reason
, path || ':' || start_line
from
terraform_resource as r
left join sns_topic_public_policies as p on p.name = r.address
where
r.type = 'aws_sns_topic_policy';

Controls

The query is being used by the following controls: