acm_certificate_create_before_destroy_enabledacm_certificate_transparency_logging_enabledapigateway_deployment_create_before_destroy_enabledapigateway_domain_name_use_latest_tlsapigateway_method_restricts_open_accessapigateway_method_settings_cache_enabledapigateway_method_settings_cache_encryption_enabledapigateway_method_settings_data_trace_enabledapigateway_rest_api_create_before_destroy_enabledapigateway_rest_api_stage_use_ssl_certificateapigateway_rest_api_stage_xray_tracing_enabledapigateway_stage_cache_encryption_at_rest_enabledapigateway_stage_logging_enabledapigatewayv2_route_set_authorization_typeappflow_connector_profile_encrypted_with_kms_cmkappflow_flow_encrypted_with_kms_cmkappsync_api_cache_encryption_at_rest_enabledappsync_api_cache_encryption_in_transit_enabledappsync_graphql_api_cloudwatch_logs_enabledappsync_graphql_api_field_level_logs_enabledathena_database_encryption_at_rest_enabledathena_workgroup_encryption_at_rest_enabledathena_workgroup_enforce_workgroup_configurationautoscaling_group_tagging_enabledautoscaling_group_uses_launch_templateautoscaling_group_with_lb_use_health_checkautoscaling_launch_config_public_ip_disabledbackup_plan_min_retention_35_daysbackup_vault_encryption_at_rest_enabledcloudformation_stack_notifications_enabledcloudfront_distribution_configured_with_origin_failovercloudfront_distribution_default_root_object_configuredcloudfront_distribution_enabledcloudfront_distribution_encryption_in_transit_enabledcloudfront_distribution_logging_enabledcloudfront_distribution_origin_access_identity_enabledcloudfront_distribution_waf_enabledcloudfront_protocol_version_is_lowcloudfront_response_header_use_strict_transport_policy_settingcloudsearch_domain_enforced_https_enabledcloudsearch_domain_uses_latest_tls_versioncloudtrail_enabled_all_regionscloudtrail_event_data_store_encrypted_with_kms_cmkcloudtrail_trail_logs_encrypted_with_kms_cmkcloudtrail_trail_sns_topic_enabledcloudtrail_trail_validation_enabledcloudwatch_alarm_action_enabledcloudwatch_destination_policy_wildcardscloudwatch_log_group_retentioncloudwatch_log_group_retention_period_365codeartifact_domain_encrypted_with_kms_cmkcodebuild_project_encryption_at_rest_enabledcodebuild_project_logging_enabledcodebuild_project_plaintext_env_variables_no_sensitive_aws_valuescodebuild_project_privileged_mode_disabledcodebuild_project_s3_logs_encryption_enabledcodebuild_project_source_repo_oauth_configuredcodecommit_approval_rule_template_number_of_approval_2codepipeline_artifacts_encrypted_with_kms_cmkcomprehend_entity_recognizer_model_encrypted_with_kms_cmkcomprehend_entity_recognizer_volume_encrypted_with_kms_cmkconfig_aggregator_enabled_all_regionsconnect_instance_kinesis_video_stream_storage_config_encrypted_with_kms_cmkconnect_instance_s3_storage_config_encrypted_with_kms_cmkdatasync_location_object_storage_expose_secretdax_cluster_encryption_at_rest_enableddax_cluster_endpoint_encryption_tls_enableddlm_lifecycle_policy_events_cross_region_encrypted_with_kms_cmkdlm_lifecycle_policy_events_cross_region_encryption_enableddlm_schedule_cross_region_encrypted_with_kms_cmkdlm_schedule_cross_region_encryption_enableddms_replication_instance_automatic_minor_version_upgrade_enableddms_replication_instance_encrypted_with_kms_cmkdms_replication_instance_not_publicly_accessibledms_s3_endpoint_encrypted_with_kms_cmkdocdb_cluster_audit_logs_enableddocdb_cluster_backup_retention_period_7docdb_cluster_encrypted_with_kmsdocdb_cluster_log_exports_enableddocdb_cluster_paramater_group_logging_enableddocdb_cluster_parameter_group_tls_enableddocdb_global_cluster_encrypteddynamodb_table_encrypted_with_kms_cmkdynamodb_table_encryption_enableddynamodb_table_point_in_time_recovery_enableddynamodb_vpc_endpoint_routetable_associationebs_snapshot_copy_encrypted_with_kms_cmkebs_volume_encryption_at_rest_enabledec2_ami_copy_encrypted_with_kms_cmkec2_ami_copy_encryption_enabledec2_ami_encryption_enabledec2_ami_imagebuilder_component_encrypted_with_kms_cmkec2_ami_imagebuilder_distribution_configuration_encrypted_with_kms_cmkec2_ami_imagebuilder_image_recipe_encrypted_with_kms_cmkec2_ami_launch_permission_restrictedec2_classic_lb_connection_draining_enabledec2_ebs_default_encryption_enabledec2_instance_detailed_monitoring_enabledec2_instance_ebs_encryption_checkec2_instance_ebs_optimizedec2_instance_not_publicly_accessibleec2_instance_not_use_default_vpcec2_instance_not_use_multiple_enisec2_instance_termination_protection_enabledec2_instance_user_data_no_secretsec2_instance_uses_imdsv2ec2_launch_configuration_ebs_encryption_checkec2_launch_configuration_metadata_hop_limit_checkec2_launch_template_metadata_hop_limit_checkecr_repository_encrypted_with_kmsecr_repository_policy_prohibit_public_accessecr_repository_tags_immutableecr_repository_use_image_scanningecs_cluster_container_insights_enabledecs_cluster_logging_enabledecs_cluster_logging_encrypted_with_kms_cmkecs_service_fargate_uses_latest_versionecs_task_definition_container_non_privilegedecs_task_definition_container_readonly_root_filesystemecs_task_definition_encryption_in_transit_enabledecs_task_definition_no_host_pid_modeecs_task_definition_role_checkefs_access_point_has_root_directoryefs_access_point_has_user_identityefs_file_system_automatic_backups_enabledefs_file_system_encrypt_data_at_restefs_file_system_encrypted_with_kms_cmkeks_cluster_control_plane_logging_enabledeks_cluster_endpoint_restrict_public_accesseks_cluster_log_types_enabledeks_cluster_node_group_ssh_access_from_interneteks_cluster_run_on_supported_kubernetes_versioneks_cluster_secrets_encryptedelasticache_cluster_has_subnet_groupelasticache_redis_cluster_auto_minor_version_upgradeelasticache_redis_cluster_automatic_backup_retention_15_dayselasticache_replication_group_encrypted_with_kms_cmkelasticache_replication_group_encryption_at_rest_enabledelasticache_replication_group_encryption_in_transit_enabledelasticache_replication_group_encryption_in_transit_enabled_auth_tokenelasticbeanstalk_environment_use_enhanced_health_checkselasticbeanstalk_environment_use_managed_updateselb_application_classic_network_lb_logging_enabledelb_application_lb_deletion_protection_enabledelb_application_lb_drop_http_headerselb_application_lb_drop_invalid_header_fieldselb_application_lb_waf_enabledelb_application_network_gateway_lb_cross_zone_load_balancing_enabledelb_application_network_gateway_lb_use_desync_mitigation_modeelb_classic_lb_cross_zone_load_balancing_enabledelb_classic_lb_use_desync_mitigation_modeelb_classic_lb_use_ssl_certificateelb_classic_lb_use_tls_https_listenerselb_lb_target_group_use_health_checkelb_lb_use_secure_protocol_listeneremr_cluster_kerberos_enabledemr_cluster_security_configuration_ebs_encryption_enabledemr_cluster_security_configuration_encryption_in_transit_enabledemr_cluster_security_configuration_encryption_uses_sse_kmsemr_cluster_security_configuration_local_disk_encryption_enabledes_domain_audit_logging_enabledes_domain_data_nodes_min_3es_domain_dedicated_master_nodes_min_3es_domain_encrypted_using_tls_1_2es_domain_encrypted_with_kms_cmkes_domain_encryption_at_rest_enabledes_domain_enforce_httpses_domain_error_logging_enabledes_domain_in_vpces_domain_logs_to_cloudwatches_domain_node_to_node_encryption_enabledes_domain_use_default_security_groupeventbridge_scheduler_schedule_encrypted_with_kms_cmkfsx_lustre_file_system_encrypted_with_kms_cmkfsx_ontap_file_system_encrypted_with_kms_cmkfsx_openzfs_file_system_encrypted_with_kms_cmkfsx_windows_file_system_encrypted_with_kms_cmkglacier_vault_restrict_public_accessglobalaccelerator_flow_logs_enabledglue_crawler_security_configuration_enabledglue_data_catalog_encryption_enabledglue_dev_endpoint_security_configuration_enabledglue_job_security_configuration_enabledglue_security_configuration_encryption_enabledguardduty_enablediam_account_password_policy_min_length_14iam_account_password_policy_one_lowercase_letteriam_account_password_policy_one_numberiam_account_password_policy_one_symboliam_account_password_policy_one_uppercase_letteriam_account_password_policy_reuse_24iam_account_password_policy_strongiam_account_password_policy_strong_min_length_8iam_password_policy_expire_90kendra_index_server_side_encryption_uses_kms_cmkkeyspaces_table_encrypted_with_kms_cmkkinesis_firehose_delivery_stream_encrypted_with_kms_cmkkinesis_firehose_delivery_stream_server_side_encryption_enabledkinesis_stream_encrypted_with_kms_cmkkinesis_stream_encryption_at_rest_enabledkinesis_video_stream_encrypted_with_kms_cmkkms_cmk_rotation_enabledlambda_function_code_signing_configuredlambda_function_concurrent_execution_limit_configuredlambda_function_dead_letter_queue_configuredlambda_function_environment_encryption_enabledlambda_function_in_vpclambda_function_url_auth_type_configuredlambda_function_use_latest_runtimelambda_function_variables_no_sensitive_datalambda_function_xray_tracing_enabledlambda_permission_restricted_service_permissionlog_group_encryption_at_rest_enabledmemorydb_cluster_encrypted_with_kms_cmkmemorydb_cluster_transit_encryption_enabledmemorydb_snapshot_encrypted_with_kms_cmkmq_broker_audit_logging_enabledmq_broker_automatic_minor_upgrade_enabledmq_broker_currect_broker_versionmq_broker_encrypted_with_kms_cmkmq_broker_general_logging_enabledmq_broker_publicly_accessiblemsk_cluster_encrypted_with_kms_cmkmsk_cluster_encryption_in_transit_enabledmsk_cluster_logging_enabledmsk_cluster_nodes_publicly_accessiblemwaa_environment_scheduler_logs_enabledmwaa_environment_webserver_logs_enabledmwaa_environment_worker_logs_enabledneptune_cluster_backup_retention_period_7neptune_cluster_copy_tags_to_snapshot_enabledneptune_cluster_encrypted_with_kms_cmkneptune_cluster_encryption_at_rest_enabledneptune_cluster_iam_authentication_enabledneptune_cluster_instance_publicly_accessibleneptune_cluster_logging_enabledneptune_snapshot_encrypted_with_kms_cmkneptune_snapshot_storage_encryption_enabledopensearch_domain_encrpted_with_kms_cmkopensearch_domain_enforce_httpsopensearch_domain_use_default_security_groupqldb_ledger_deletion_protection_enabledqldb_ledger_permission_mode_set_to_standardrds_cluster_activity_stream_encrypted_with_kms_cmkrds_db_cluster_aurora_backtracking_enabledrds_db_cluster_copy_tags_to_snapshot_enabledrds_db_cluster_deletion_protection_enabledrds_db_cluster_encrypted_with_kms_cmkrds_db_cluster_encryption_enabledrds_db_cluster_events_subscriptionrds_db_cluster_iam_authentication_enabledrds_db_cluster_instance_automatic_minor_version_upgrade_enabledrds_db_cluster_instance_performance_insights_enabledrds_db_cluster_instance_performance_insights_encrypted_with_kms_cmkrds_db_cluster_multiple_az_enabledrds_db_instance_and_cluster_enhanced_monitoring_enabledrds_db_instance_and_cluster_no_default_portrds_db_instance_automatic_minor_version_upgrade_enabledrds_db_instance_backup_enabledrds_db_instance_copy_tags_to_snapshot_enabledrds_db_instance_deletion_protection_enabledrds_db_instance_encryption_at_rest_enabledrds_db_instance_events_subscriptionrds_db_instance_iam_authentication_enabledrds_db_instance_logging_enabledrds_db_instance_multiple_az_enabledrds_db_instance_performance_insights_enabledrds_db_instance_performance_insights_encrypted_with_kms_cmkrds_db_instance_prohibit_public_accessrds_db_instance_uses_recent_ca_certificaterds_db_parameter_group_events_subscriptionrds_db_security_group_events_subscriptionrds_db_snapshot_copy_encrypted_with_kms_cmkrds_db_snapshot_not_publicly_accesiblerds_global_cluster_encryption_enabledrds_mysql_db_cluster_audit_logging_enabledredshift_cluster_automatic_snapshots_min_7_daysredshift_cluster_automatic_upgrade_major_versions_enabledredshift_cluster_deployed_in_ec2_classic_moderedshift_cluster_encryption_enabledredshift_cluster_encryption_logging_enabledredshift_cluster_enhanced_vpc_routing_enabledredshift_cluster_kms_enabledredshift_cluster_logging_enabledredshift_cluster_maintenance_settings_checkredshift_cluster_no_default_database_nameredshift_cluster_prohibit_public_accessredshift_serverless_namespace_encrypted_with_kms_cmkredshift_snapshot_copy_grant_encrypted_with_kms_cmks3_bucket_abort_incomplete_multipart_upload_enableds3_bucket_block_public_policy_enableds3_bucket_cross_region_replication_enableds3_bucket_default_encryption_enableds3_bucket_default_encryption_enabled_kmss3_bucket_ignore_public_acls_enableds3_bucket_logging_enableds3_bucket_mfa_delete_enableds3_bucket_object_copy_encrypted_with_kms_cmks3_bucket_object_encrypted_with_kms_cmks3_bucket_object_lock_enableds3_bucket_public_access_blockeds3_bucket_versioning_enableds3_public_access_block_accountsagemaker_domain_encrypted_with_kms_cmksagemaker_endpoint_configuration_encryption_at_rest_enabledsagemaker_notebook_instance_direct_internet_access_disabledsagemaker_notebook_instance_encryption_at_rest_enabledsagemaker_notebook_instance_in_vpcsagemaker_notebook_instance_root_access_disabledsecretsmanager_secret_automatic_rotation_enabledsecretsmanager_secret_automatic_rotation_lambda_enabledsecretsmanager_secret_encrypted_with_kms_cmkses_configuration_set_tls_enforcedsfn_state_machine_execution_history_logging_enabledsfn_state_machine_xray_tracing_enabledsns_topic_encrypted_at_restsns_topic_policy_restrict_public_accesssqs_queue_encrypted_at_restsqs_queue_policy_no_action_starsqs_queue_policy_no_principal_starsqs_vpc_endpoint_without_dns_resolutionssm_document_prohibit_public_accessssm_parameter_encrypted_with_kms_cmktimestream_database_encrypted_with_kms_cmkvpc_default_security_group_restricts_all_trafficvpc_ec2_transit_gateway_auto_accept_attachment_requests_disabledvpc_eip_associatedvpc_endpoint_service_acceptance_enabledvpc_flow_logs_enabledvpc_igw_attached_to_authorized_vpcvpc_network_acl_allow_ftp_port_20_ingressvpc_network_acl_allow_ftp_port_21_ingressvpc_network_acl_allow_rdp_port_3389_ingressvpc_network_acl_allow_ssh_port_22_ingressvpc_network_acl_rule_restrict_ingress_ports_allvpc_network_acl_unusedvpc_network_firewall_deletion_protection_enabledvpc_network_firewall_encrypted_with_kms_cmkvpc_network_firewall_policy_encrypted_with_kms_cmkvpc_network_firewall_rule_group_encrypted_with_kms_cmkvpc_security_group_associated_to_enivpc_security_group_description_for_rulesvpc_security_group_restrict_ingress_rdp_allvpc_security_group_restrict_ingress_ssh_allvpc_security_group_rule_description_for_rulesvpc_subnet_auto_assign_public_ip_disabledvpc_transfer_server_allows_only_secure_protocolsvpc_transfer_server_not_publicly_accesiblewaf_regional_web_acl_logging_enabledwaf_regional_web_acl_rule_attachedwaf_regional_web_acl_rule_with_actionwaf_web_acl_logging_enabledwaf_web_acl_rule_attachedwaf_web_acl_rule_with_actionwafv2_web_acl_rule_attachedworkspace_root_volume_encryption_at_rest_enabledworkspace_user_volume_encryption_at_rest_enabled
Query: lambda_permission_restricted_service_permission
Usage
powerpipe query terraform_aws_compliance.query.lambda_permission_restricted_service_permissionSteampipe Tables
SQL
select address as resource, split_part((attributes_std ->> 'principal'), '.', 2), case when not (split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws' and split_part((attributes_std ->> 'principal'), '.', 3)= 'com') then 'info' when split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws' and split_part((attributes_std ->> 'principal'), '.', 3)= 'com' and ((attributes_std -> 'source_arn') is not null or (attributes_std -> 'source_account') is not null ) then 'ok' else 'alarm' end as status, split_part(address, '.', 2) || case when not (split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws' and split_part((attributes_std ->> 'principal'), '.', 3) = 'com') then ' principal not set as service' when split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws' and split_part((attributes_std ->> 'principal'), '.', 3)= 'com' and ((attributes_std -> 'source_arn') is not null or (attributes_std -> 'source_account') is not null ) then ' permissions to AWS services restricted by SourceArn or SourceAccount' else ' permissions to AWS services not restricted by SourceArn or SourceAccount' end || '.' as reason , path || ':' || start_linefrom terraform_resourcewhere type = 'aws_lambda_permission';Controls
The query is being used by the following controls: