Control: EBS snapshots should only be shared with trusted accounts

powerpipe control run aws_perimeter.control.ebs_snapshot_shared_with_trusted_accounts

powerpipe login
powerpipe control run aws_perimeter.control.ebs_snapshot_shared_with_trusted_accounts --share

with list_of_snashpot_shared_accounts as (
  select
    jsonb_agg((p -> 'UserId')) as list,
    arn
  from
    aws_ebs_snapshot,
    jsonb_array_elements(create_volume_permissions) as p
  group by
    arn
),
shared_ebs_snapshot as (
  select
    arn,
    list,
    list :: jsonb - ($1) :: text [ ] as untrusted_accounts
  from
    list_of_snashpot_shared_accounts
)
select
  s.arn as resource,
  case
    when jsonb_array_length(untrusted_accounts) > 0 then 'info'
    else 'ok'
  end status,
  case
    when s.create_volume_permissions @> '[{"Group": "all"}]' then s.title || ' publicly restorable.'
    when jsonb_array_length(untrusted_accounts) > 0
    and untrusted_accounts #> > '{0}' != 'all' then s.title || ' shared with ' || case
      when jsonb_array_length(untrusted_accounts) > 2 then concat(
        'untrusted accounts ',
        untrusted_accounts #> > '{0}',
        ', ',
        untrusted_accounts #> > '{1}',
        ' and ' || (jsonb_array_length(untrusted_accounts) - 2) :: text || ' more.'
      )
      when jsonb_array_length(untrusted_accounts) = 2 then concat(
        'untrusted accounts ',
        untrusted_accounts #> > '{0}',
        ' and ',
        untrusted_accounts #> > '{1}',
        '.'
      )
      else concat(
        'untrusted account ',
        untrusted_accounts #> > '{0}',
        '.'
      )
    end
    else case
      when list is null then s.title || ' is not shared.'
      else s.title || ' shared with trusted account(s).'
    end
  end reason,
  s.region,
  s.account_id
from
  aws_ebs_snapshot as s
  left join shared_ebs_snapshot as ss on s.arn = ss.arn;