Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/aws_perimeter
Overview
3Dashboards
62Controls
0Queries
5Variables
GitHub
Loading controls...

Control: Directory Service directories should only be shared with trusted accounts

Description

This control checks whether Directory Service directories access are restricted to trusted accounts.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.directory_service_directory_shared_with_trusted_accounts

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.directory_service_directory_shared_with_trusted_accounts --share

Steampipe Tables

aws_directory_service_directory
Amazon Web Services plugin

Params

ArgsNameDefaultDescriptionVariable
$1trusted_accounts
["123456781234","123456781200"]
A list of trusted accounts.

SQL

with all_directories as (
  select
    directory_id,
    shared_directories,
    region,
    title,
    _ctx,
    tags,
    account_id
  from
    aws_directory_service_directory
  order by
    account_id,
    region,
    directory_id,
    _ctx,
    tags,
    title
),
directory_data as (
  select
    directory_id,
    to_jsonb(
      string_to_array(string_agg(sd ->> 'SharedAccountId', ','), ',')
    ) as shared_accounts,
    to_jsonb(
      string_to_array(string_agg(sd ->> 'SharedAccountId', ','), ',')
    ) - ($1) :: text [ ] as untrusted_accounts,
    region,
    title,
    _ctx,
    tags,
    account_id
  from
    all_directories,
    jsonb_array_elements(shared_directories) sd
  group by
    directory_id,
    region,
    _ctx,
    tags,
    account_id,
    title
),
evaluated_directories as (
  select
    all_directories.*,
    shared_accounts,
    untrusted_accounts
  from
    all_directories
    left join directory_data on all_directories.directory_id = directory_data.directory_id
)
select
  directory_id as resource,
  case
    when shared_accounts is null
    or jsonb_array_length(shared_accounts) = 0 then 'ok'
    when untrusted_accounts is not null
    or jsonb_array_length(untrusted_accounts) > 0 then 'info'
    else 'ok'
  end as status,
  case
    when shared_accounts is null
    or jsonb_array_length(shared_accounts) = 0 then directory_id || ' is not shared.'
    when untrusted_accounts is not null
    or jsonb_array_length(shared_accounts) > 0 then directory_id || ' shared with ' || case
      when jsonb_array_length(untrusted_accounts) > 2 then concat(
        'untrusted accounts ',
        untrusted_accounts #> > '{0}',
        ', ',
        untrusted_accounts #> > '{1}',
        ' and ' || (jsonb_array_length(untrusted_accounts) - 2) :: text || ' more.'
      )
      when jsonb_array_length(untrusted_accounts) = 2 then concat(
        'untrusted accounts ',
        untrusted_accounts #> > '{0}',
        ' and ',
        untrusted_accounts #> > '{1}',
        '.'
      )
      else concat(
        'untrusted account ',
        untrusted_accounts #> > '{0}',
        '.'
      )
    end
    else directory_id || ' shared with trusted account(s).'
  end as reason,
  region,
  account_id
from
  evaluated_directories;

Tags

category = Perimeter
plugin = aws
service = AWS/DirectoryService