rajlearner17
commented
2 years ago @markusjunior Appreciate using Steampipe 👍
Exciting details are provided, thank you. While checking this at our end, can you pls check your plugin configuration file aws.spc details? I just wanted to confirm the region settings in it
if this is configured to only 1 regions i.e. regions = ["us-east-1"], the result will be only rendered for us-east-1
The approach can be either you can specify the list of regions or make it * to evaluate all regions in the account e.g. *regions = [""]**
Doc reference - https://hub.steampipe.io/plugins/turbot/aws#configuration
markusjunior
Describe the bug Even if there are in many other AWS regions VPCs, the scan for Control 3.9 will only detect VPCs in us-east-1
Steampipe version (
steampipe -v) steampipe version 0.15.0Plugin version (
steampipe plugin list) | hub.steampipe.io/plugins/turbot/aws@0.57.0 | 0.57.0| hub.steampipe.io/plugins/turbot/aws@latest | 0.68.0 | aws
steampipe-mod-aws-compliance v0.37 [2022-06-29]
To reproduce running steampipe check aws_compliance.control.cis_v140_3_9
The result contains just the us-east-1 region, even if in other regions of the same account do exist other VPCs as well. Please see the example output (Account ID and ARN removed) in the additional context section below.
Expected behavior For this particular account we do have in 5 different regions (like eu-central-1 etc) VPCs. therefore we expect that all regions are included in this scan / control.
Additional context Example output (only us-east-1 is included, even if we do have in other regions VPCs as well)
{ "group_id": "root_result_group", "title": "", "description": "", "tags": {}, "summary": { "status": { "alarm": 0, "ok": 1, "info": 0, "skip": 0, "error": 0 } }, "groups": [], "controls": [ { "summary": { "alarm": 0, "ok": 1, "info": 0, "skip": 0, "error": 0 }, "results": [ { "reason": "vpc-<> flow logging enabled.",
"resource": "arn:aws:ec2:us-east-1:<>:vpc/vpc-<>",
"status": "ok",
"dimensions": [
{
"key": "region",
"value": "us-east-1"
},
{
"key": "account_id",
"value": "<>"
}
]
}
],
"control_id": "control.cis_v140_3_9",
"description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.",
"severity": "",
"tags": {
"category": "Compliance",
"cis": "true",
"cis_item_id": "3.9",
"cis_level": "2",
"cis_section_id": "3",
"cis_type": "automated",
"cis_version": "v1.4.0",
"plugin": "aws",
"service": "AWS/VPC"
},
"title": "3.9 Ensure VPC flow logging is enabled in all VPCs",
"run_status": 4,
"run_error": ""
}
]
}