turbot/aws_tags
Loading controls...

Control: RDS DB cluster snapshots should not have prohibited tags

Description

Check if RDS DB cluster snapshots have any prohibited tags.

Usage

Run the control in your terminal:

powerpipe control run aws_tags.control.rds_db_cluster_snapshot_prohibited

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_tags.control.rds_db_cluster_snapshot_prohibited --share

Steampipe Tables

Params

ArgsNameDefaultDescriptionVariable
$1prohibited_tags
["Password","Key"]

SQL

with analysis as (
select
arn,
array_agg(k) as prohibited_tags,
region,
account_id,
tags,
_ctx
from
aws_rds_db_cluster_snapshot,
jsonb_object_keys(tags) as k,
unnest($1 :: text [ ]) as prohibited_key
where
k = prohibited_key
group by
arn,
region,
account_id,
tags,
_ctx
)
select
r.arn as resource,
case
when a.prohibited_tags <> array [ ] :: text [ ] then 'alarm'
else 'ok'
end as status,
case
when a.prohibited_tags <> array [ ] :: text [ ] then r.title || ' has prohibited tags: ' || array_to_string(a.prohibited_tags, ', ') || '.'
else r.title || ' has no prohibited tags.'
end as reason,
r.region,
r.account_id
from
aws_rds_db_cluster_snapshot as r
full outer join analysis as a on a.arn = r.arn;