Closed omerosaienni closed 1 year ago
Public Access
omerosaienni@engineering ~/source-code/steampipe/steampipe-mod-aws-perimeter(updating-perimeter-mod-to-use-analyse-table)$ steampipe check benchmark.public_access
Public Access .............................................................................................................................................. 60 / 133 [==========]
|
+ Public Access Settings ................................................................................................................................... 3 / 34 [=== ]
| |
| + API Gateway APIs should prohibit public access ......................................................................................................... 0 / 0 [ ]
| |
| + Database Migration Service (DMS) replication instances should not be public ............................................................................ 0 / 0 [ ]
| |
| + EBS snapshots should not be publicly restorable ........................................................................................................ 0 / 6 [= ]
| | |
| | OK : snap-09c14fff2c4c1b36b not publicly restorable. ................................................................................................ us-east-1 123456789012
| | OK : snap-0e3cd6d751a0d274e not publicly restorable. ................................................................................................ us-east-1 123456789012
| | OK : snap-01c573b1f4ebad60f not publicly restorable. ................................................................................................ us-east-1 123456789012
| | OK : snap-0d052e9a6dc0b710b not publicly restorable. ................................................................................................ us-east-1 123456789012
| | OK : snap-02fb96ea75cc078ff not publicly restorable. ................................................................................................ us-east-1 123456789012
| | OK : snap-0263366219ef8e62d not publicly restorable. ................................................................................................ us-east-1 123456789012
| |
| + EC2 AMIs should not be shared publicly ................................................................................................................. 1 / 6 [== ]
| | |
| | ALARM: ami-public-instance-1 publicly accessible. ..................................................................................................... us-east-1 123456789012
| | OK : ami-private-image-1 not publicly accessible. ................................................................................................... us-east-1 123456789012
| | OK : ami-private-image-2 not publicly accessible. ................................................................................................... us-east-1 123456789012
| | OK : ami-private-image-3 not publicly accessible. ................................................................................................... us-east-1 123456789012
| | OK : ami-public-instance-2 not publicly accessible. ................................................................................................. us-east-1 123456789012
| | OK : ami-public-instance-3 not publicly accessible. ................................................................................................. us-east-1 123456789012
| |
| + EKS cluster endpoints should prohibit public access .................................................................................................... 0 / 0 [ ]
| |
| + RDS DB cluster snapshots should not be publicly restorable ............................................................................................. 0 / 0 [ ]
| |
| + RDS DB instances should prohibit public accesss ........................................................................................................ 0 / 0 [ ]
| |
| + RDS DB snapshots should not be publicly restorable ..................................................................................................... 0 / 0 [ ]
| |
| + Redshift clusters should prohibit public access ........................................................................................................ 0 / 0 [ ]
| |
| + S3 bucket ACLs should prohibit public read access ...................................................................................................... 0 / 7 [= ]
| | |
| | OK : config-bucket-111122223333 not publicly readable. .............................................................................................. us-east-1 111122223333
| | OK : test-omero-bucket-1 not publicly readable. ..................................................................................................... us-east-1 111122223333
| | OK : account-tags-test-bucket not publicly readable. ................................................................................................ us-east-1 111122223333
| | OK : my-test-bucket-errored not publicly readable. .................................................................................................. us-east-1 111122223333
| | OK : omero-cloudfront-test-bucket not publicly readable. ............................................................................................ us-east-1 111122223333
| | OK : aws-cloudtrail-logs-111122223333-84bb46df not publicly readable. ............................................................................... us-east-1 111122223333
| | OK : omero-resource-policy-bucket not publicly readable. ............................................................................................ us-east-1 111122223333
| |
| + S3 bucket ACLs should prohibit public write access ..................................................................................................... 0 / 7 [= ]
| | |
| | OK : config-bucket-111122223333 not publicly writable. .............................................................................................. us-east-1 111122223333
| | OK : test-omero-bucket-1 not publicly writable. ..................................................................................................... us-east-1 111122223333
| | OK : account-tags-test-bucket not publicly writable. ................................................................................................ us-east-1 111122223333
| | OK : my-test-bucket-errored not publicly writable. .................................................................................................. us-east-1 111122223333
| | OK : omero-cloudfront-test-bucket not publicly writable. ............................................................................................ us-east-1 111122223333
| | OK : aws-cloudtrail-logs-111122223333-84bb46df not publicly writable. ............................................................................... us-east-1 111122223333
| | OK : omero-resource-policy-bucket not publicly writable. ............................................................................................ us-east-1 111122223333
| |
| + S3 account settings should block public access ......................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Account level public access not enabled for: block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets. ........................ 111122223333
| |
| + S3 buckets should block public access at bucket level .................................................................................................. 1 / 7 [== ]
| | |
| | ALARM: omero-resource-policy-bucket not enabled for: block_public_policy, restrict_public_buckets. .................................................... us-east-1 111122223333
| | OK : account-tags-test-bucket all public access blocks enabled. ..................................................................................... us-east-1 111122223333
| | OK : config-bucket-111122223333 all public access blocks enabled. ................................................................................... us-east-1 111122223333
| | OK : test-omero-bucket-1 all public access blocks enabled. .......................................................................................... us-east-1 111122223333
| | OK : my-test-bucket-errored all public access blocks enabled. ....................................................................................... us-east-1 111122223333
| | OK : omero-cloudfront-test-bucket all public access blocks enabled. ................................................................................. us-east-1 111122223333
| | OK : aws-cloudtrail-logs-111122223333-84bb46df all public access blocks enabled. .................................................................... us-east-1 111122223333
| |
| + SageMaker notebook instances should be prohibited from direct internet access .......................................................................... 0 / 0 [ ]
|
+ Resource Policy Public Access ............................................................................................................................ 57 / 99 [======== ]
|
+ ECR repository policies should prohibit public access .................................................................................................. 1 / 2 [== ]
| |
| ALARM: omero-test-private-2 policy contains 1 statement that allow public access: [CodeBuildAccess]. .................................................. us-east-1 111122223333
| OK : omero-test-private policy does not allow public access. ........................................................................................ us-east-1 111122223333
|
+ Glacier vault policies should prohibit public access ................................................................................................... 0 / 0 [ ]
|
+ IAM role trust policies should prohibit public access .................................................................................................. 54 / 91 [======= ]
| |
| ALARM: AWS-QuickSetup-StackSet-Local-AdministrationRole policy contains 1 statement that allow public access: [Statement[1]]. ................................... 111122223333
| ALARM: AWSServiceRoleForAccessAnalyzer policy contains 1 statement that allow public access: [Statement[1]]. .................................................... 111122223333
| ALARM: AWSServiceRoleForAutoScaling policy contains 1 statement that allow public access: [Statement[1]]. ....................................................... 111122223333
| ALARM: AWSServiceRoleForBackup policy contains 1 statement that allow public access: [Statement[1]]. ............................................................ 111122223333
| ALARM: AWSServiceRoleForCloudTrail policy contains 1 statement that allow public access: [Statement[1]]. ........................................................ 111122223333
| ALARM: AWSServiceRoleForComputeOptimizer policy contains 1 statement that allow public access: [Statement[1]]. .................................................. 111122223333
| ALARM: AWSServiceRoleForConfig policy contains 1 statement that allow public access: [Statement[1]]. ............................................................ 111122223333
| ALARM: AWSServiceRoleForApplicationAutoScaling_DynamoDBTable policy contains 1 statement that allow public access: [Statement[1]]. .............................. 111122223333
| ALARM: AWSServiceRoleForECS policy contains 1 statement that allow public access: [Statement[1]]. ............................................................... 111122223333
| ALARM: AWSServiceRoleForApplicationAutoScaling_ECSService policy contains 1 statement that allow public access: [Statement[1]]. ................................. 111122223333
| ALARM: AWSServiceRoleForElastiCache policy contains 1 statement that allow public access: [Statement[1]]. ....................................................... 111122223333
| ALARM: AWSServiceRoleForElasticLoadBalancing policy contains 1 statement that allow public access: [Statement[1]]. .............................................. 111122223333
| ALARM: AWSServiceRoleForGlobalAccelerator policy contains 1 statement that allow public access: [Statement[1]]. ................................................. 111122223333
| ALARM: AWSServiceRoleForCloudFrontLogger policy contains 1 statement that allow public access: [Statement[1]]. .................................................. 111122223333
| ALARM: AWSServiceRoleForAPIGateway policy contains 1 statement that allow public access: [Statement[1]]. ........................................................ 111122223333
| ALARM: AWSServiceRoleForOrganizations policy contains 1 statement that allow public access: [Statement[1]]. ..................................................... 111122223333
| ALARM: AWSServiceRoleForRDS policy contains 1 statement that allow public access: [Statement[1]]. ............................................................... 111122223333
| ALARM: AWSServiceRoleForBackupReports policy contains 1 statement that allow public access: [Statement[1]]. ..................................................... 111122223333
| ALARM: AWSServiceRoleForSecurityHub policy contains 1 statement that allow public access: [Statement[1]]. ....................................................... 111122223333
| ALARM: AWSServiceRoleForAmazonSSM policy contains 1 statement that allow public access: [Statement[1]]. ......................................................... 111122223333
| ALARM: AWSServiceRoleForSSO policy contains 1 statement that allow public access: [Statement[1]]. ............................................................... 111122223333
| ALARM: AWSServiceRoleForSupport policy contains 1 statement that allow public access: [Statement[1]]. ........................................................... 111122223333
| ALARM: AWSServiceRoleForTrustedAdvisor policy contains 1 statement that allow public access: [Statement[1]]. .................................................... 111122223333
| ALARM: ec2_s3_read_only policy contains 1 statement that allow public access: [Statement[1]]. ................................................................... 111122223333
| ALARM: ec2_s3_read_only_2 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................. 111122223333
| ALARM: ec2_s3_read_only_3 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................. 111122223333
| ALARM: iam_trusted_access_role_1 policy contains 1 statement that allow public access: [Statement[3]]. .......................................................... 111122223333
| ALARM: iam_trusted_access_role_5 policy contains 1 statement that allow public access: [Statement[1]]. .......................................................... 111122223333
| ALARM: PublishFlowLogsToCloudWatchRole policy contains 1 statement that allow public access: [Statement[1]]. .................................................... 111122223333
| ALARM: PublishToCloudWatchLogsRole policy contains 1 statement that allow public access: [Statement[1]]. ........................................................ 111122223333
| ALARM: resource-policy-analysis-role-1 policy contains 1 statement that allow public access: [Statement[1]]. .................................................... 111122223333
| ALARM: AWSBackupDefaultServiceRole policy contains 1 statement that allow public access: [Statement[1]]. ........................................................ 111122223333
| ALARM: test-function-2-role-i16umoc8 policy contains 1 statement that allow public access: [Statement[1]]. ...................................................... 111122223333
| ALARM: test-function-3-role-ofc3xrg2 policy contains 1 statement that allow public access: [Statement[1]]. ...................................................... 111122223333
| ALARM: test-function-4-role-bjzyzpti policy contains 1 statement that allow public access: [Statement[1]]. ...................................................... 111122223333
| ALARM: test-function-role-ouk9m007 policy contains 1 statement that allow public access: [Statement[1]]. ........................................................ 111122223333
| ALARM: test-aws-is-broken policy contains 1 statement that allow public access: [Statement[1]]. ................................................................. 111122223333
| ALARM: test-messy-1 policy contains 1 statement that allow public access: [Statement[1]]. ....................................................................... 111122223333
| ALARM: test-public-1 policy contains 1 statement that allow public access: [Statement[1]]. ...................................................................... 111122223333
| ALARM: test-public-role-5 policy contains 3 statement that allow public access: [Statement[1], Statement[2], and 1 more]. ....................................... 111122223333
| ALARM: test-role-2 policy contains 1 statement that allow public access: [Statement[1]]. ........................................................................ 111122223333
| ALARM: test-role-3 policy contains 1 statement that allow public access: [Statement[1]]. ........................................................................ 111122223333
| ALARM: test-role-org-4 policy contains 1 statement that allow public access: [Statement[1]]. .................................................................... 111122223333
| ALARM: test-role-public-2 policy contains 2 statement that allow public access: [Statement[1], Statement[2]]. ................................................... 111122223333
| ALARM: test-role-public-3 policy contains 3 statement that allow public access: [Statement[1], Statement[2], and 1 more]. ....................................... 111122223333
| ALARM: test-role-public-4 policy contains 3 statement that allow public access: [Statement[1], Statement[2], and 1 more]. ....................................... 111122223333
| ALARM: test-role-public-5 policy contains 4 statement that allow public access: [Statement[1], Statement[2], and 2 more]. ....................................... 111122223333
| ALARM: test-service-role-1 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-service-role-2 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-service-role-3 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-service-role-4 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-service-role-5 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-service-role-6 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-steampipe-role-1 policy contains 1 statement that allow public access: [Statement[1]]. .............................................................. 111122223333
| OK : AWS-QuickSetup-StackSet-Local-ExecutionRole policy does not allow public access. ......................................................................... 111122223333
| OK : AWSReservedSSO_SSO-Admin_ce6cf919091b63ee policy does not allow public access. ........................................................................... 111122223333
| OK : AWSReservedSSO_SSO-ReadOnly_7e9831f0c1810592 policy does not allow public access. ........................................................................ 111122223333
| OK : iam_trusted_access_role_10 policy does not allow public access. .......................................................................................... 111122223333
| OK : iam_trusted_access_role_2 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_20 policy does not allow public access. .......................................................................................... 111122223333
| OK : iam_trusted_access_role_3 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_30 policy does not allow public access. .......................................................................................... 111122223333
| OK : iam_trusted_access_role_4 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_41 policy does not allow public access. .......................................................................................... 111122223333
| OK : iam_trusted_access_role_6 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_7 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_8 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_9 policy does not allow public access. ........................................................................................... 111122223333
| OK : rexaac-assume-role policy does not allow public access. .................................................................................................. 111122223333
| OK : test-admin-role policy does not allow public access. ..................................................................................................... 111122223333
| OK : test-amazon-1 policy does not allow public access. ....................................................................................................... 111122223333
| OK : test-aws-amazon-sub-type-1 policy does not allow public access. .......................................................................................... 111122223333
| OK : test-google-1 policy does not allow public access. ....................................................................................................... 111122223333
| OK : test-google-2 policy does not allow public access. ....................................................................................................... 111122223333
| OK : test-google-role policy does not allow public access. .................................................................................................... 111122223333
| OK : test-role-mulitple policy does not allow public access. .................................................................................................. 111122223333
| OK : test-role-mulitple-2 policy does not allow public access. ................................................................................................ 111122223333
| OK : test-role-org-1 policy does not allow public access. ..................................................................................................... 111122223333
| OK : test-role-org-2 policy does not allow public access. ..................................................................................................... 111122223333
| OK : test-role-org-3 policy does not allow public access. ..................................................................................................... 111122223333
| OK : test-role-org-5 policy does not allow public access. ..................................................................................................... 111122223333
| OK : test-role-self policy does not allow public access. ...................................................................................................... 111122223333
| OK : test-rubbish3 policy does not allow public access. ....................................................................................................... 111122223333
| OK : test-saml-role-1 policy does not allow public access. .................................................................................................... 111122223333
| OK : test-web-identity-1 policy does not allow public access. ................................................................................................. 111122223333
| OK : us-east-1_PtrpBLBqu-authRole policy does not allow public access. ........................................................................................ 111122223333
| OK : us-east-1_PtrpBLBqu_Full-access policy does not allow public access. ..................................................................................... 111122223333
| OK : us-east-1_PtrpBLBqu_Manage-only policy does not allow public access. ..................................................................................... 111122223333
| OK : us-east-1_u8mhp37to-authRole policy does not allow public access. ........................................................................................ 111122223333
| OK : us-east-1_u8mhp37to_Full-access policy does not allow public access. ..................................................................................... 111122223333
| OK : us-east-1_u8mhp37to_Manage-only policy does not allow public access. ..................................................................................... 111122223333
|
+ KMS key policies should prohibit public access ......................................................................................................... 1 / 1 [= ]
| |
| ALARM: 62a473ea-2733-44eb-a626-352318acced6 policy contains 5 statement that allow public access: [Allow CloudTrail to describe key, Allow CloudTrail … us-east-1 111122223333
|
+ Lambda function policies should prohibit public access ................................................................................................. 0 / 3 [= ]
| |
| OK : test-function policy does not allow public access. ............................................................................................. us-east-1 111122223333
| OK : test-function-3 policy does not allow public access. ........................................................................................... us-east-1 111122223333
| OK : test-function-4 policy does not allow public access. ........................................................................................... us-east-1 111122223333
|
+ S3 bucket policies should prohibit public access ....................................................................................................... 0 / 1 [= ]
| |
| OK : omero-cloudfront-test-bucket policy does not allow public access. .............................................................................. us-east-1 111122223333
|
+ SNS topic policies should prohibit public access ....................................................................................................... 1 / 1 [= ]
| |
| ALARM: Default_CloudWatch_Alarms_Topic policy contains 1 statement that allow public access: [__default_statement_ID]. ................................ us-east-1 111122223333
|
+ SQS queue policies should prohibit public access ....................................................................................................... 0 / 0 [ ]
Summary
OK ............................................................................................................................................................... 73 [====== ]
SKIP .............................................................................................................................................................. 0 [ ]
INFO .............................................................................................................................................................. 0 [ ]
ALARM ............................................................................................................................................................ 60 [===== ]
ERROR ............................................................................................................................................................. 0 [ ]
TOTAL ...................................................................................................................................................... 60 / 133 [==========]
omerosaienni@engineering ~/source-code/steampipe/steampipe-mod-aws-perimeter(updating-perimeter-mod-to-use-analyse-table)$
'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
'This PR was closed because it has been stalled for 90 days with no activity.'
Share Controls