AWS Perimeter Mod
Run security controls across all your AWS accounts to look for resources that are publicly accessible resources, shared with untrusted accounts, have insecure network configurations, and more.
References
AWS provides on-demand cloud computing platforms and APIs to authenticated customers on a metered pay-as-you-go basis.
Steampipe is an open source CLI to instantly query cloud APIs using SQL.
Steampipe Mods are collections of named queries, and codified controls that can be used to test current configuration of your cloud resources against a desired configuration.
Documentation
Getting started
Installation
Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:
brew tap turbot/tapbrew install steampipeInstall the AWS plugin with Steampipe:
steampipe plugin install awsClone:
git clone https://github.com/turbot/steampipe-mod-aws-perimeter.gitcd steampipe-mod-aws-perimeterUsage
Start your dashboard server to get started:
steampipe dashboardBy default, the dashboard interface will then be launched in a new browser window at http://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.
Instead of running benchmarks in a dashboard, you can also run them within your
terminal with the steampipe check command:
Run all benchmarks:
steampipe check allRun a single benchmark:
steampipe check benchmark.public_accessRun a specific control:
steampipe check control.ec2_instance_ami_prohibit_public_accessDifferent output formats are also available, for more information please see Output Formats.
Credentials
This mod uses the credentials configured in the Steampipe AWS plugin.
Configuration
Several benchmarks have input variables that can be configured to better match your environment and requirements. Each variable has a default defined in its source file, e.g., perimeter/shared_access.sp, but these can be overwritten in several ways:
Copy and rename the
steampipe.spvars.examplefile tosteampipe.spvars, and then modify the variable values inside that filePass in a value on the command line:
steampipe check benchmark.shared_access --var='trusted_accounts=["123456789012", "123123123123"]'Set an environment variable:
SP_VAR_trusted_accounts='["123456789012", "123123123123"]' steampipe check control.ram_resource_shared_with_trusted_accounts- Note: When using environment variables, if the variable is defined in
steampipe.spvarsor passed in through the command line, either of those will take precedence over the environment variable value. For more information on variable definition precedence, please see the link below.
- Note: When using environment variables, if the variable is defined in
These are only some of the ways you can set variables. For a full list, please see Passing Input Variables.
Common and Tag Dimensions
The benchmark queries use common properties (like account_id, connection_name and region) and tags that are defined in the form of a default list of strings in the mod.sp file. These properties can be overwritten in several ways:
Copy and rename the
steampipe.spvars.examplefile tosteampipe.spvars, and then modify the variable values inside that filePass in a value on the command line:
steampipe check benchmark.public_access_settings --var 'common_dimensions=["account_id", "connection_name", "region"]'steampipe check benchmark.public_access_settings --var 'tag_dimensions=["Environment", "Owner"]'Set an environment variable:
SP_VAR_common_dimensions='["account_id", "connection_name", "region"]' steampipe check control.eks_cluster_endpoint_prohibit_public_accessSP_VAR_tag_dimensions='["Environment", "Owner"]' steampipe check control.large_ebs_volumes
Contributing
If you have an idea for additional controls or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing.
- Join #steampipe on Slack → and hang out with other Mod developers.
Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.
Want to help but not sure where to start? Pick up one of the help wanted issues: