standard
turbot/aws_compliance

Trigger: Detect & correct S3 buckets without SSL enforcement

Detect S3 buckets that do not enforce SSL and then skip or enforce SSL.

Query

with ssl_ok as (
select
distinct name,
arn
from
aws_s3_bucket,
jsonb_array_elements(policy_std -> 'Statement') as s,
jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
jsonb_array_elements_text(s -> 'Action') as a,
jsonb_array_elements_text(s -> 'Resource') as r,
jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') as ssl
where
p = '*'
and s ->> 'Effect' = 'Deny'
and ssl :: bool = false
)
select
concat(b.name, ' [', b.account_id, '/', b.region, ']') as title,
b.name as bucket_name,
b.sp_connection_name as conn,
b.region
from
aws_s3_bucket as b
left join ssl_ok as ok on ok.name = b.name
where
ok.name is null;

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/S3