turbot/aws_perimeter
GitHub
Loading controls...

Control: GuardDuty findings should only be shared with trusted accounts

Description

This control checks if GuardDuty findings are only shared with trusted administrator accounts.

Usage

Run the control in your terminal:

steampipe check aws_perimeter.control.guarduty_findings_shared_with_trusted_accounts

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share aws_perimeter.control.guarduty_findings_shared_with_trusted_accounts

Plugins & Tables

Params

ArgsNameDefaultDescriptionVariable
$1trusted_accounts
["123456781234","123456781200"]
A list of trusted accounts.

SQL

select
title as resource,
case
when master_account ->> 'AccountId' is null
or (master_account ->> 'AccountId') :: text = any (($1) :: text [ ]) then 'ok'
else 'info'
end as status,
case
when master_account ->> 'AccountId' is null
or (master_account ->> 'AccountId') :: text = any (($1) :: text [ ]) then title || ' findings shared with trusted administrator account.'
else title || ' findings shared with untrusted administrator account ' || (master_account ->> 'AccountId') :: text || '.'
end as reason,
region,
account_id
from
aws_guardduty_detector;

Tags