turbot/aws_compliance

Query: cloudfront_distribution_origin_access_identity_enabled

Usage

powerpipe query aws_compliance.query.cloudfront_distribution_origin_access_identity_enabled

SQL

select
arn as resource,
case
when o ->> 'DomainName' not like '%s3.amazonaws.com' then 'skip'
when o ->> 'DomainName' like '%s3.amazonaws.com'
and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then 'alarm'
else 'ok'
end as status,
case
when o ->> 'DomainName' not like '%s3.amazonaws.com' then title || ' origin type is not s3.'
when o ->> 'DomainName' like '%s3.amazonaws.com'
and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then title || ' origin access identity not configured.'
else title || ' origin access identity configured.'
end as reason,
region,
account_id
from
aws_cloudfront_distribution,
jsonb_array_elements(origins) as o;

Controls

The query is being used by the following controls: