steampipe-mod-aws-perimeter
steampipe-mod-aws-perimeter copied to clipboard
Published
20 hours ago •
turbot
turbot
Add trusted controls for AWS policies
Share Controls
omerosaienni@engineering ~/source-code/steampipe/steampipe-mod-aws-perimeter(updating-perimeter-mod-to-use-analyse-table)$ steampipe check benchmark.shared_access
Shared Access .............................................................................................................................................. 94 / 401 [==========]
|
+ RAM Shared Access ........................................................................................................................................ 2 / 2 [= ]
| |
| + Resources shared through RAM should only be shared with trusted accounts ............................................................................... 1 / 1 [= ]
| | |
| | ALARM: subnet/subnet-0324f9123e334dc08 shared with untrusted accounts ["111122223333", "333322221111", "222244446666"]. ............................... us-east-1 232332322323
| |
| + Resources shared through RAM should only be shared with trusted OUs .................................................................................... 0 / 0 [ ]
| |
| + Resources shared through RAM should only be shared with trusted organizations .......................................................................... 1 / 1 [= ]
| |
| ALARM: subnet/subnet-0324f9123e334dc08 shared with untrusted organization ["o-a1a1a1aa11"]. ........................................................... us-east-1 232332322323
|
+ Shared Access Settings ................................................................................................................................... 0 / 24 [= ]
| |
| + Config service aggregator should only collect data from trusted accounts ............................................................................... 0 / 0 [ ]
| |
| + Directory Service directories should only be shared with trusted accounts .............................................................................. 0 / 0 [ ]
| |
| + DLM policies should only share EBS snapshot copies with trusted accounts ............................................................................... 0 / 0 [ ]
| |
| + EBS snapshots should only be shared with trusted accounts .............................................................................................. 0 / 6 [= ]
| | |
| | OK : snap-02fb96ea75cc078ff is not shared. .......................................................................................................... us-east-1 232332322323
| | OK : snap-0e3cd6d751a0d274e is not shared. .......................................................................................................... us-east-1 232332322323
| | OK : snap-09c14fff2c4c1b36b is not shared. .......................................................................................................... us-east-1 232332322323
| | OK : snap-01c573b1f4ebad60f is not shared. .......................................................................................................... us-east-1 232332322323
| | OK : snap-0d052e9a6dc0b710b is not shared. .......................................................................................................... us-east-1 232332322323
| | OK : snap-0263366219ef8e62d is not shared. .......................................................................................................... us-east-1 232332322323
| |
| + EC2 AMIs should only be shared with trusted accounts ................................................................................................... 0 / 6 [= ]
| | |
| | INFO : ami-public-instance-1 is public. ............................................................................................................... us-east-1 232332322323
| | INFO : ami-public-instance-2 shared with untrusted account ["333322221111"]. .......................................................................... us-east-1 232332322323
| | INFO : ami-public-instance-3 shared with untrusted accounts ["333322221111", "111122223333"]. ......................................................... us-east-1 232332322323
| | OK : ami-private-image-1 is not shared. ............................................................................................................. us-east-1 232332322323
| | OK : ami-private-image-2 is not shared. ............................................................................................................. us-east-1 232332322323
| | OK : ami-private-image-3 is not shared. ............................................................................................................. us-east-1 232332322323
| |
| + EC2 AMIs should only be shared with trusted OUs ........................................................................................................ 0 / 6 [= ]
| | |
| | INFO : ami-public-instance-1 is public. ............................................................................................................... us-east-1 232332322323
| | OK : ami-private-image-1 is not shared. ............................................................................................................. us-east-1 232332322323
| | OK : ami-private-image-2 is not shared. ............................................................................................................. us-east-1 232332322323
| | OK : ami-private-image-3 is not shared. ............................................................................................................. us-east-1 232332322323
| | OK : ami-public-instance-2 is not shared. ........................................................................................................... us-east-1 232332322323
| | OK : ami-public-instance-3 is not shared. ........................................................................................................... us-east-1 232332322323
| |
| + EC2 AMIs should only be shared with trusted organizations .............................................................................................. 0 / 6 [= ]
| | |
| | INFO : ami-public-instance-1 is public. ............................................................................................................... us-east-1 232332322323
| | OK : ami-private-image-1 is not shared. ............................................................................................................. us-east-1 232332322323
| | OK : ami-private-image-2 is not shared. ............................................................................................................. us-east-1 232332322323
| | OK : ami-private-image-3 is not shared. ............................................................................................................. us-east-1 232332322323
| | OK : ami-public-instance-2 is not shared. ........................................................................................................... us-east-1 232332322323
| | OK : ami-public-instance-3 is not shared. ........................................................................................................... us-east-1 232332322323
| |
| + GuardDuty findings should only be shared with trusted accounts ......................................................................................... 0 / 0 [ ]
| |
| + RDS DB snapshots should only be shared with trusted accounts ........................................................................................... 0 / 0 [ ]
|
+ Shared Access ............................................................................................................................................ 92 / 375 [==========]
|
+ Resource Policy Shared Accounts Access ................................................................................................................. 26 / 98 [=== ]
| |
| + ECR repository policies should prohibit untrusted account access ..................................................................................... 1 / 2 [== ]
| | |
| | ALARM: omero-test-private trust policy grants cross-account access to 1 untrusted account: ["123456789012"]. ........................................ us-east-1 232332322323
| | OK : omero-test-private-2 trust policy does not reference any accounts. ........................................................................... us-east-1 232332322323
| |
| + Glacier vault policies should prohibit untrusted account access ...................................................................................... 0 / 0 [ ]
| |
| + IAM role trust policies should prohibit untrusted account access ..................................................................................... 21 / 91 [=== ]
| | |
| | ALARM: iam_trusted_access_role_10 trust policy grants cross-account access to 1 untrusted account: ["688720832404"]. .......................................... 232332322323
| | ALARM: iam_trusted_access_role_3 trust policy grants cross-account access to 1 untrusted account: ["688720832404"]. ........................................... 232332322323
| | ALARM: iam_trusted_access_role_41 trust policy grants cross-account access to 1 untrusted account: ["688720832404"]. .......................................... 232332322323
| | ALARM: iam_trusted_access_role_9 trust policy grants cross-account access to 1 untrusted account: ["688720832404"]. ........................................... 232332322323
| | ALARM: rexaac-assume-role trust policy grants cross-account access to 1 untrusted account: ["333322221111"]. .................................................. 232332322323
| | ALARM: test-public-1 trust policy grants cross-account access to 1 untrusted account: ["*"]. .................................................................. 232332322323
| | ALARM: test-public-role-5 trust policy grants cross-account access to 1 untrusted account: ["*"]. ............................................................. 232332322323
| | ALARM: test-role-2 trust policy grants cross-account access to 1 untrusted account: ["688720832404"]. ......................................................... 232332322323
| | ALARM: test-role-mulitple trust policy grants cross-account access to 2 untrusted accounts: ["181849339477", "688720832404"]. ................................. 232332322323
| | ALARM: test-role-mulitple-2 trust policy grants cross-account access to 4 untrusted accounts: ["111122223333", "222244446666", "181849339477", "688720832404"]. 232332322323
| | ALARM: test-role-org-1 trust policy grants cross-account access to 1 untrusted account: ["232332322323"]. ..................................................... 232332322323
| | ALARM: test-role-org-2 trust policy grants cross-account access to 1 untrusted account: ["232332322323"]. ..................................................... 232332322323
| | ALARM: test-role-org-3 trust policy grants cross-account access to 1 untrusted account: ["232332322323"]. ..................................................... 232332322323
| | ALARM: test-role-org-4 trust policy grants cross-account access to 1 untrusted account: ["*"]. ................................................................ 232332322323
| | ALARM: test-role-org-5 trust policy grants cross-account access to 1 untrusted account: ["232332322323"]. ..................................................... 232332322323
| | ALARM: test-role-public-2 trust policy grants cross-account access to 1 untrusted account: ["*"]. ............................................................. 232332322323
| | ALARM: test-role-public-3 trust policy grants cross-account access to 1 untrusted account: ["*"]. ............................................................. 232332322323
| | ALARM: test-role-public-4 trust policy grants cross-account access to 1 untrusted account: ["*"]. ............................................................. 232332322323
| | ALARM: test-role-public-5 trust policy grants cross-account access to 1 untrusted account: ["*"]. ............................................................. 232332322323
| | ALARM: test-steampipe-role-1 trust policy grants cross-account access to 1 untrusted account: ["*"]. .......................................................... 232332322323
| | ALARM: us-east-1_PtrpBLBqu_Manage-only trust policy grants cross-account access to 1 untrusted account: ["688720832404"]. ..................................... 232332322323
| | OK : AWS-QuickSetup-StackSet-Local-AdministrationRole trust policy does not reference any accounts. ......................................................... 232332322323
| | OK : AWS-QuickSetup-StackSet-Local-ExecutionRole trust policy does not reference any cross-accounts. ........................................................ 232332322323
| | OK : AWSReservedSSO_SSO-Admin_ce6cf919091b63ee trust policy does not reference any accounts. ................................................................ 232332322323
| | OK : AWSReservedSSO_SSO-ReadOnly_7e9831f0c1810592 trust policy does not reference any accounts. ............................................................. 232332322323
| | OK : AWSServiceRoleForAccessAnalyzer trust policy does not reference any accounts. .......................................................................... 232332322323
| | OK : AWSServiceRoleForAutoScaling trust policy does not reference any accounts. ............................................................................. 232332322323
| | OK : AWSServiceRoleForBackup trust policy does not reference any accounts. .................................................................................. 232332322323
| | OK : AWSServiceRoleForCloudTrail trust policy does not reference any accounts. .............................................................................. 232332322323
| | OK : AWSServiceRoleForComputeOptimizer trust policy does not reference any accounts. ........................................................................ 232332322323
| | OK : AWSServiceRoleForConfig trust policy does not reference any accounts. .................................................................................. 232332322323
| | OK : AWSServiceRoleForApplicationAutoScaling_DynamoDBTable trust policy does not reference any accounts. .................................................... 232332322323
| | OK : AWSServiceRoleForECS trust policy does not reference any accounts. ..................................................................................... 232332322323
| | OK : AWSServiceRoleForApplicationAutoScaling_ECSService trust policy does not reference any accounts. ....................................................... 232332322323
| | OK : AWSServiceRoleForElastiCache trust policy does not reference any accounts. ............................................................................. 232332322323
| | OK : AWSServiceRoleForElasticLoadBalancing trust policy does not reference any accounts. .................................................................... 232332322323
| | OK : AWSServiceRoleForGlobalAccelerator trust policy does not reference any accounts. ....................................................................... 232332322323
| | OK : AWSServiceRoleForCloudFrontLogger trust policy does not reference any accounts. ........................................................................ 232332322323
| | OK : AWSServiceRoleForAPIGateway trust policy does not reference any accounts. .............................................................................. 232332322323
| | OK : AWSServiceRoleForOrganizations trust policy does not reference any accounts. ........................................................................... 232332322323
| | OK : AWSServiceRoleForRDS trust policy does not reference any accounts. ..................................................................................... 232332322323
| | OK : AWSServiceRoleForBackupReports trust policy does not reference any accounts. ........................................................................... 232332322323
| | OK : AWSServiceRoleForSecurityHub trust policy does not reference any accounts. ............................................................................. 232332322323
| | OK : AWSServiceRoleForAmazonSSM trust policy does not reference any accounts. ............................................................................... 232332322323
| | OK : AWSServiceRoleForSSO trust policy does not reference any accounts. ..................................................................................... 232332322323
| | OK : AWSServiceRoleForSupport trust policy does not reference any accounts. ................................................................................. 232332322323
| | OK : AWSServiceRoleForTrustedAdvisor trust policy does not reference any accounts. .......................................................................... 232332322323
| | OK : ec2_s3_read_only trust policy does not reference any accounts. ......................................................................................... 232332322323
| | OK : ec2_s3_read_only_2 trust policy does not reference any accounts. ....................................................................................... 232332322323
| | OK : ec2_s3_read_only_3 trust policy does not reference any accounts. ....................................................................................... 232332322323
| | OK : iam_trusted_access_role_2 trust policy does not reference any cross-accounts. .......................................................................... 232332322323
| | OK : iam_trusted_access_role_20 trust policy does not reference any cross-accounts. ......................................................................... 232332322323
| | OK : iam_trusted_access_role_30 trust policy does not reference any accounts. ............................................................................... 232332322323
| | OK : iam_trusted_access_role_4 trust policy does not reference any cross-accounts. .......................................................................... 232332322323
| | OK : iam_trusted_access_role_5 trust policy does not reference any accounts. ................................................................................ 232332322323
| | OK : iam_trusted_access_role_6 trust policy does not reference any accounts. ................................................................................ 232332322323
| | OK : iam_trusted_access_role_7 trust policy does not reference any accounts. ................................................................................ 232332322323
| | OK : iam_trusted_access_role_8 trust policy does not reference any accounts. ................................................................................ 232332322323
| | OK : my-sso-role trust policy does not reference any accounts. .............................................................................................. 232332322323
| | OK : PublishFlowLogsToCloudWatchRole trust policy does not reference any accounts. .......................................................................... 232332322323
| | OK : PublishToCloudWatchLogsRole trust policy does not reference any accounts. .............................................................................. 232332322323
| | OK : resource-policy-analysis-role-1 trust policy does not reference any accounts. .......................................................................... 232332322323
| | OK : AWSBackupDefaultServiceRole trust policy does not reference any accounts. .............................................................................. 232332322323
| | OK : test-function-2-role-i16umoc8 trust policy does not reference any accounts. ............................................................................ 232332322323
| | OK : test-function-3-role-ofc3xrg2 trust policy does not reference any accounts. ............................................................................ 232332322323
| | OK : test-function-4-role-bjzyzpti trust policy does not reference any accounts. ............................................................................ 232332322323
| | OK : test-function-role-ouk9m007 trust policy does not reference any accounts. .............................................................................. 232332322323
| | OK : test-admin-role trust policy does not reference any cross-accounts. .................................................................................... 232332322323
| | OK : test-amazon-1 trust policy does not reference any accounts. ............................................................................................ 232332322323
| | OK : test-aws-amazon-sub-type-1 trust policy does not reference any accounts. ............................................................................... 232332322323
| | OK : test-aws-is-broken trust policy does not reference any accounts. ....................................................................................... 232332322323
| | OK : test-google-1 trust policy does not reference any accounts. ............................................................................................ 232332322323
| | OK : test-google-2 trust policy does not reference any accounts. ............................................................................................ 232332322323
| | OK : test-google-role trust policy does not reference any accounts. ......................................................................................... 232332322323
| | OK : test-messy-1 trust policy does not reference any accounts. ............................................................................................. 232332322323
| | OK : test-role-3 trust policy does not reference any accounts. .............................................................................................. 232332322323
| | OK : test-role-self trust policy does not reference any cross-accounts. ..................................................................................... 232332322323
| | OK : test-rubbish3 trust policy does not reference any accounts. ............................................................................................ 232332322323
| | OK : test-saml-role-1 trust policy does not reference any accounts. ......................................................................................... 232332322323
| | OK : test-service-role-1 trust policy does not reference any accounts. ...................................................................................... 232332322323
| | OK : test-service-role-2 trust policy does not reference any accounts. ...................................................................................... 232332322323
| | OK : test-service-role-3 trust policy does not reference any accounts. ...................................................................................... 232332322323
| | OK : test-service-role-4 trust policy does not reference any accounts. ...................................................................................... 232332322323
| | OK : test-service-role-5 trust policy does not reference any accounts. ...................................................................................... 232332322323
| | OK : test-service-role-6 trust policy does not reference any accounts. ...................................................................................... 232332322323
| | OK : test-web-identity-1 trust policy does not reference any accounts. ...................................................................................... 232332322323
| | OK : us-east-1_PtrpBLBqu-authRole trust policy does not reference any accounts. ............................................................................. 232332322323
| | OK : us-east-1_PtrpBLBqu_Full-access trust policy does not reference any accounts. .......................................................................... 232332322323
| | OK : us-east-1_u8mhp37to-authRole trust policy does not reference any accounts. ............................................................................. 232332322323
| | OK : us-east-1_u8mhp37to_Full-access trust policy does not reference any accounts. .......................................................................... 232332322323
| | OK : us-east-1_u8mhp37to_Manage-only trust policy does not reference any accounts. .......................................................................... 232332322323
| |
| + KMS key policies should prohibit untrusted account access ............................................................................................ 1 / 1 [= ]
| | |
| | ALARM: 62a473ea-2733-44eb-a626-352318acced6 trust policy grants cross-account access to 2 untrusted accounts: ["*", "232332322323"]. ................ us-east-1 232332322323
| |
| + Lambda function policies should prohibit untrusted account access .................................................................................... 2 / 3 [== ]
| | |
| | ALARM: test-function-3 trust policy grants cross-account access to 1 untrusted account: ["333322221111"]. ........................................... us-east-1 232332322323
| | ALARM: test-function-4 trust policy grants cross-account access to 2 untrusted accounts: ["333322221111", "222244446666"]. .......................... us-east-1 232332322323
| | OK : test-function trust policy does not reference any cross-accounts. ............................................................................ us-east-1 232332322323
| |
| + S3 bucket policies should prohibit untrusted account access .......................................................................................... 0 / 0 [ ]
| |
| + SNS topic policies should prohibit untrusted account access .......................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Default_CloudWatch_Alarms_Topic trust policy grants cross-account access to 1 untrusted account: ["*"]. ...................................... us-east-1 232332322323
| |
| + SQS queue policies should prohibit untrusted account access .......................................................................................... 0 / 0 [ ]
|
+ Resource Policy Shared Organizations Access ............................................................................................................ 6 / 92 [=== ]
| |
| + ECR repository policies should prohibit untrusted organization access ................................................................................ 0 / 2 [= ]
| | |
| | OK : omero-test-private trust policy does not reference any organizations. ........................................................................ us-east-1 232332322323
| | OK : omero-test-private-2 trust policy does not reference any organizations. ...................................................................... us-east-1 232332322323
| |
| + Glacier vault policies should prohibit untrusted organization access ................................................................................. 0 / 0 [ ]
| |
| + IAM role trust policies should prohibit untrusted organization access ................................................................................ 5 / 86 [=== ]
| | |
| | ALARM: test-role-org-1 trust policy grants access to 1 untrusted organization: ["o-valid"]. ................................................................... 232332322323
| | ALARM: test-role-org-2 trust policy grants access to 2 untrusted organizations: ["o-valid1", "o-valid2"]. ..................................................... 232332322323
| | ALARM: test-role-org-3 trust policy grants access to 3 untrusted organizations: ["o-valid1", "o-valid2", "o-valid3"]. ......................................... 232332322323
| | ALARM: test-role-org-4 trust policy grants access to 3 untrusted organizations: ["o-valid1", "o-valid2", "o-valid3"]. ......................................... 232332322323
| | ALARM: test-role-org-5 trust policy grants access to 3 untrusted organizations: ["o-valid1", "o-valid2", "o-valid3"]. ......................................... 232332322323
| | OK : AWS-QuickSetup-StackSet-Local-AdministrationRole trust policy does not reference any organizations. .................................................... 232332322323
| | OK : AWS-QuickSetup-StackSet-Local-ExecutionRole trust policy does not reference any organizations. ......................................................... 232332322323
| | OK : AWSReservedSSO_SSO-Admin_ce6cf919091b63ee trust policy does not reference any organizations. ........................................................... 232332322323
| | OK : AWSReservedSSO_SSO-ReadOnly_7e9831f0c1810592 trust policy does not reference any organizations. ........................................................ 232332322323
| | OK : AWSServiceRoleForAccessAnalyzer trust policy does not reference any organizations. ..................................................................... 232332322323
| | OK : AWSServiceRoleForAutoScaling trust policy does not reference any organizations. ........................................................................ 232332322323
| | OK : AWSServiceRoleForBackup trust policy does not reference any organizations. ............................................................................. 232332322323
| | OK : AWSServiceRoleForCloudTrail trust policy does not reference any organizations. ......................................................................... 232332322323
| | OK : AWSServiceRoleForComputeOptimizer trust policy does not reference any organizations. ................................................................... 232332322323
| | OK : AWSServiceRoleForApplicationAutoScaling_DynamoDBTable trust policy does not reference any organizations. ............................................... 232332322323
| | OK : AWSServiceRoleForECS trust policy does not reference any organizations. ................................................................................ 232332322323
| | OK : AWSServiceRoleForApplicationAutoScaling_ECSService trust policy does not reference any organizations. .................................................. 232332322323
| | OK : AWSServiceRoleForElastiCache trust policy does not reference any organizations. ........................................................................ 232332322323
| | OK : AWSServiceRoleForElasticLoadBalancing trust policy does not reference any organizations. ............................................................... 232332322323
| | OK : AWSServiceRoleForGlobalAccelerator trust policy does not reference any organizations. .................................................................. 232332322323
| | OK : AWSServiceRoleForCloudFrontLogger trust policy does not reference any organizations. ................................................................... 232332322323
| | OK : AWSServiceRoleForOrganizations trust policy does not reference any organizations. ...................................................................... 232332322323
| | OK : AWSServiceRoleForRDS trust policy does not reference any organizations. ................................................................................ 232332322323
| | OK : AWSServiceRoleForBackupReports trust policy does not reference any organizations. ...................................................................... 232332322323
| | OK : AWSServiceRoleForAmazonSSM trust policy does not reference any organizations. .......................................................................... 232332322323
| | OK : AWSServiceRoleForSSO trust policy does not reference any organizations. ................................................................................ 232332322323
| | OK : AWSServiceRoleForSupport trust policy does not reference any organizations. ............................................................................ 232332322323
| | OK : AWSServiceRoleForTrustedAdvisor trust policy does not reference any organizations. ..................................................................... 232332322323
| | OK : ec2_s3_read_only trust policy does not reference any organizations. .................................................................................... 232332322323
| | OK : ec2_s3_read_only_2 trust policy does not reference any organizations. .................................................................................. 232332322323
| | OK : ec2_s3_read_only_3 trust policy does not reference any organizations. .................................................................................. 232332322323
| | OK : iam_trusted_access_role_1 trust policy does not reference any organizations. ........................................................................... 232332322323
| | OK : iam_trusted_access_role_2 trust policy does not reference any organizations. ........................................................................... 232332322323
| | OK : iam_trusted_access_role_20 trust policy does not reference any organizations. .......................................................................... 232332322323
| | OK : iam_trusted_access_role_3 trust policy does not reference any organizations. ........................................................................... 232332322323
| | OK : iam_trusted_access_role_30 trust policy does not reference any organizations. .......................................................................... 232332322323
| | OK : iam_trusted_access_role_4 trust policy does not reference any organizations. ........................................................................... 232332322323
| | OK : iam_trusted_access_role_41 trust policy does not reference any organizations. .......................................................................... 232332322323
| | OK : iam_trusted_access_role_5 trust policy does not reference any organizations. ........................................................................... 232332322323
| | OK : iam_trusted_access_role_6 trust policy does not reference any organizations. ........................................................................... 232332322323
| | OK : iam_trusted_access_role_7 trust policy does not reference any organizations. ........................................................................... 232332322323
| | OK : iam_trusted_access_role_8 trust policy does not reference any organizations. ........................................................................... 232332322323
| | OK : iam_trusted_access_role_9 trust policy does not reference any organizations. ........................................................................... 232332322323
| | OK : my-sso-role trust policy does not reference any organizations. ......................................................................................... 232332322323
| | OK : PublishFlowLogsToCloudWatchRole trust policy does not reference any organizations. ..................................................................... 232332322323
| | OK : PublishToCloudWatchLogsRole trust policy does not reference any organizations. ......................................................................... 232332322323
| | OK : resource-policy-analysis-role-1 trust policy does not reference any organizations. ..................................................................... 232332322323
| | OK : rexaac-assume-role trust policy does not reference any organizations. .................................................................................. 232332322323
| | OK : AWSBackupDefaultServiceRole trust policy does not reference any organizations. ......................................................................... 232332322323
| | OK : test-function-2-role-i16umoc8 trust policy does not reference any organizations. ....................................................................... 232332322323
| | OK : test-function-3-role-ofc3xrg2 trust policy does not reference any organizations. ....................................................................... 232332322323
| | OK : test-function-4-role-bjzyzpti trust policy does not reference any organizations. ....................................................................... 232332322323
| | OK : test-function-role-ouk9m007 trust policy does not reference any organizations. ......................................................................... 232332322323
| | OK : test-admin-role trust policy does not reference any organizations. ..................................................................................... 232332322323
| | OK : test-amazon-1 trust policy does not reference any organizations. ....................................................................................... 232332322323
| | OK : test-aws-amazon-sub-type-1 trust policy does not reference any organizations. .......................................................................... 232332322323
| | OK : test-aws-is-broken trust policy does not reference any organizations. .................................................................................. 232332322323
| | OK : test-google-2 trust policy does not reference any organizations. ....................................................................................... 232332322323
| | OK : test-google-role trust policy does not reference any organizations. .................................................................................... 232332322323
| | OK : test-messy-1 trust policy does not reference any organizations. ........................................................................................ 232332322323
| | OK : test-public-1 trust policy does not reference any organizations. ....................................................................................... 232332322323
| | OK : test-public-role-5 trust policy does not reference any organizations. .................................................................................. 232332322323
| | OK : test-role-2 trust policy does not reference any organizations. ......................................................................................... 232332322323
| | OK : test-role-3 trust policy does not reference any organizations. ......................................................................................... 232332322323
| | OK : test-role-mulitple trust policy does not reference any organizations. .................................................................................. 232332322323
| | OK : test-role-mulitple-2 trust policy does not reference any organizations. ................................................................................ 232332322323
| | OK : test-role-public-2 trust policy does not reference any organizations. .................................................................................. 232332322323
| | OK : test-role-public-3 trust policy does not reference any organizations. .................................................................................. 232332322323
| | OK : test-role-public-4 trust policy does not reference any organizations. .................................................................................. 232332322323
| | OK : test-role-public-5 trust policy does not reference any organizations. .................................................................................. 232332322323
| | OK : test-role-self trust policy does not reference any organizations. ...................................................................................... 232332322323
| | OK : test-rubbish3 trust policy does not reference any organizations. ....................................................................................... 232332322323
| | OK : test-saml-role-1 trust policy does not reference any organizations. .................................................................................... 232332322323
| | OK : test-service-role-1 trust policy does not reference any organizations. ................................................................................. 232332322323
| | OK : test-service-role-2 trust policy does not reference any organizations. ................................................................................. 232332322323
| | OK : test-service-role-3 trust policy does not reference any organizations. ................................................................................. 232332322323
| | OK : test-service-role-4 trust policy does not reference any organizations. ................................................................................. 232332322323
| | OK : test-service-role-5 trust policy does not reference any organizations. ................................................................................. 232332322323
| | OK : test-service-role-6 trust policy does not reference any organizations. ................................................................................. 232332322323
| | OK : test-steampipe-role-1 trust policy does not reference any organizations. ............................................................................... 232332322323
| | OK : test-web-identity-1 trust policy does not reference any organizations. ................................................................................. 232332322323
| | OK : us-east-1_PtrpBLBqu_Full-access trust policy does not reference any organizations. ..................................................................... 232332322323
| | OK : us-east-1_PtrpBLBqu_Manage-only trust policy does not reference any organizations. ..................................................................... 232332322323
| | OK : us-east-1_u8mhp37to-authRole trust policy does not reference any organizations. ........................................................................ 232332322323
| | OK : us-east-1_u8mhp37to_Full-access trust policy does not reference any organizations. ..................................................................... 232332322323
| | OK : us-east-1_u8mhp37to_Manage-only trust policy does not reference any organizations. ..................................................................... 232332322323
| |
| + KMS key policies should prohibit untrusted organization access ....................................................................................... 0 / 0 [ ]
| |
| + Lambda function policies should prohibit untrusted organization access ............................................................................... 0 / 2 [= ]
| | |
| | OK : test-function trust policy does not reference any organizations. ............................................................................. us-east-1 232332322323
| | OK : test-function-4 trust policy does not reference any organizations. ........................................................................... us-east-1 232332322323
| |
| + S3 bucket policies should prohibit untrusted organization access ..................................................................................... 0 / 2 [= ]
| | |
| | OK : account-tags-test-bucket trust policy does not reference any organizations. .................................................................. us-east-1 232332322323
| | OK : omero-resource-policy-bucket trust policy does not reference any organizations. .............................................................. us-east-1 232332322323
| |
| + SNS topic policies should prohibit untrusted organization access ..................................................................................... 0 / 1 [= ]
| | |
| | OK : Default_CloudWatch_Alarms_Topic trust policy does not reference any organizations. ........................................................... us-east-1 232332322323
| |
| + SQS queue policies should prohibit untrusted organization access ..................................................................................... 0 / 0 [ ]
|
+ Resource Policy Shared Services Access ................................................................................................................. 42 / 92 [=== ]
| |
| + ECR repository policies should prohibit untrusted organization access ................................................................................ 2 / 2 [= ]
| | |
| | ALARM: omero-test-private trust policy grants access to 1 untrusted service: ["codebuild.amazonaws.com"]. ........................................... us-east-1 232332322323
| | ALARM: omero-test-private-2 trust policy grants access to 1 untrusted service: ["codebuild.amazonaws.com"]. ......................................... us-east-1 232332322323
| |
| + Glacier vault policies should prohibit untrusted organization access ................................................................................. 0 / 0 [ ]
| |
| + IAM role trust policies should prohibit untrusted organization access ................................................................................ 40 / 89 [=== ]
| | |
| | ALARM: AWS-QuickSetup-StackSet-Local-AdministrationRole trust policy grants access to 1 untrusted service: ["cloudformation.amazonaws.com"]. .................. 232332322323
| | ALARM: AWSServiceRoleForAccessAnalyzer trust policy grants access to 1 untrusted service: ["access-analyzer.amazonaws.com"]. .................................. 232332322323
| | ALARM: AWSServiceRoleForAutoScaling trust policy grants access to 1 untrusted service: ["autoscaling.amazonaws.com"]. ......................................... 232332322323
| | ALARM: AWSServiceRoleForBackup trust policy grants access to 1 untrusted service: ["backup.amazonaws.com"]. ................................................... 232332322323
| | ALARM: AWSServiceRoleForCloudTrail trust policy grants access to 1 untrusted service: ["cloudtrail.amazonaws.com"]. ........................................... 232332322323
| | ALARM: AWSServiceRoleForComputeOptimizer trust policy grants access to 1 untrusted service: ["compute-optimizer.amazonaws.com"]. .............................. 232332322323
| | ALARM: AWSServiceRoleForConfig trust policy grants access to 1 untrusted service: ["config.amazonaws.com"]. ................................................... 232332322323
| | ALARM: AWSServiceRoleForApplicationAutoScaling_DynamoDBTable trust policy grants access to 1 untrusted service: ["dynamodb.application-autoscaling.amazonaws.c… 232332322323
| | ALARM: AWSServiceRoleForECS trust policy grants access to 1 untrusted service: ["ecs.amazonaws.com"]. ......................................................... 232332322323
| | ALARM: AWSServiceRoleForApplicationAutoScaling_ECSService trust policy grants access to 1 untrusted service: ["ecs.application-autoscaling.amazonaws.com"]. ... 232332322323
| | ALARM: AWSServiceRoleForElastiCache trust policy grants access to 1 untrusted service: ["elasticache.amazonaws.com"]. ......................................... 232332322323
| | ALARM: AWSServiceRoleForGlobalAccelerator trust policy grants access to 1 untrusted service: ["globalaccelerator.amazonaws.com"]. ............................. 232332322323
| | ALARM: AWSServiceRoleForCloudFrontLogger trust policy grants access to 1 untrusted service: ["logger.cloudfront.amazonaws.com"]. .............................. 232332322323
| | ALARM: AWSServiceRoleForAPIGateway trust policy grants access to 1 untrusted service: ["ops.apigateway.amazonaws.com"]. ....................................... 232332322323
| | ALARM: AWSServiceRoleForOrganizations trust policy grants access to 1 untrusted service: ["organizations.amazonaws.com"]. ..................................... 232332322323
| | ALARM: AWSServiceRoleForRDS trust policy grants access to 1 untrusted service: ["rds.amazonaws.com"]. ......................................................... 232332322323
| | ALARM: AWSServiceRoleForBackupReports trust policy grants access to 1 untrusted service: ["reports.backup.amazonaws.com"]. .................................... 232332322323
| | ALARM: AWSServiceRoleForSecurityHub trust policy grants access to 1 untrusted service: ["securityhub.amazonaws.com"]. ......................................... 232332322323
| | ALARM: AWSServiceRoleForAmazonSSM trust policy grants access to 1 untrusted service: ["ssm.amazonaws.com"]. ................................................... 232332322323
| | ALARM: AWSServiceRoleForSSO trust policy grants access to 1 untrusted service: ["sso.amazonaws.com"]. ......................................................... 232332322323
| | ALARM: AWSServiceRoleForSupport trust policy grants access to 1 untrusted service: ["support.amazonaws.com"]. ................................................. 232332322323
| | ALARM: AWSServiceRoleForTrustedAdvisor trust policy grants access to 1 untrusted service: ["trustedadvisor.amazonaws.com"]. ................................... 232332322323
| | ALARM: ec2_s3_read_only_3 trust policy grants access to 1 untrusted service: ["lambda.amazonaws.com"]. ........................................................ 232332322323
| | ALARM: PublishFlowLogsToCloudWatchRole trust policy grants access to 1 untrusted service: ["vpc-flow-logs.amazonaws.com"]. .................................... 232332322323
| | ALARM: PublishToCloudWatchLogsRole trust policy grants access to 1 untrusted service: ["vpc-flow-logs.amazonaws.com"]. ........................................ 232332322323
| | ALARM: AWSBackupDefaultServiceRole trust policy grants access to 1 untrusted service: ["backup.amazonaws.com"]. ............................................... 232332322323
| | ALARM: test-function-2-role-i16umoc8 trust policy grants access to 1 untrusted service: ["lambda.amazonaws.com"]. ............................................. 232332322323
| | ALARM: test-function-3-role-ofc3xrg2 trust policy grants access to 1 untrusted service: ["lambda.amazonaws.com"]. ............................................. 232332322323
| | ALARM: test-function-4-role-bjzyzpti trust policy grants access to 1 untrusted service: ["lambda.amazonaws.com"]. ............................................. 232332322323
| | ALARM: test-function-role-ouk9m007 trust policy grants access to 1 untrusted service: ["lambda.amazonaws.com"]. ............................................... 232332322323
| | ALARM: test-aws-is-broken trust policy grants access to 1 untrusted service: ["lambda.amazonaws.com"]. ........................................................ 232332322323
| | ALARM: test-public-role-5 trust policy grants access to 2 untrusted services: ["cloudwatch.amazonaws.com", "ecs.amazonaws.com"]. .............................. 232332322323
| | ALARM: test-role-public-3 trust policy grants access to 1 untrusted service: ["ecs.amazonaws.com"]. ........................................................... 232332322323
| | ALARM: test-role-public-4 trust policy grants access to 2 untrusted services: ["cloudwatch.amazonaws.com", "ecs.amazonaws.com"]. .............................. 232332322323
| | ALARM: test-role-public-5 trust policy grants access to 3 untrusted services: ["cloudwatch.amazonaws.com", "ecs.amazonaws.com", "fsx.amazonaws.com"]. ......... 232332322323
| | ALARM: test-service-role-1 trust policy grants access to 1 untrusted service: ["access-analyzer.amazonaws.com"]. .............................................. 232332322323
| | ALARM: test-service-role-2 trust policy grants access to 2 untrusted services: ["access-analyzer.amazonaws.com", "backup.amazonaws.com"]. ..................... 232332322323
| | ALARM: test-service-role-3 trust policy grants access to 3 untrusted services: ["access-analyzer.amazonaws.com", "backup.amazonaws.com", "cloudtrail.amazonaws… 232332322323
| | ALARM: test-service-role-4 trust policy grants access to 4 untrusted services: ["access-analyzer.amazonaws.com", "backup.amazonaws.com", "cloudtrail.amazonaws… 232332322323
| | ALARM: test-service-role-5 trust policy grants access to 3 untrusted services: ["access-analyzer.amazonaws.com", "backup.amazonaws.com", "globalaccelerator.am… 232332322323
| | OK : AWS-QuickSetup-StackSet-Local-ExecutionRole trust policy does not reference any services. .............................................................. 232332322323
| | OK : AWSReservedSSO_SSO-Admin_ce6cf919091b63ee trust policy does not reference any services. ................................................................ 232332322323
| | OK : AWSReservedSSO_SSO-ReadOnly_7e9831f0c1810592 trust policy does not reference any services. ............................................................. 232332322323
| | OK : AWSServiceRoleForElasticLoadBalancing trust policy grants access to 1 trusted service(s). .............................................................. 232332322323
| | OK : ec2_s3_read_only trust policy grants access to 1 trusted service(s). ................................................................................... 232332322323
| | OK : ec2_s3_read_only_2 trust policy grants access to 1 trusted service(s). ................................................................................. 232332322323
| | OK : iam_trusted_access_role_1 trust policy grants access to 1 trusted service(s). .......................................................................... 232332322323
| | OK : iam_trusted_access_role_10 trust policy does not reference any services. ............................................................................... 232332322323
| | OK : iam_trusted_access_role_2 trust policy does not reference any services. ................................................................................ 232332322323
| | OK : iam_trusted_access_role_20 trust policy does not reference any services. ............................................................................... 232332322323
| | OK : iam_trusted_access_role_30 trust policy does not reference any services. ............................................................................... 232332322323
| | OK : iam_trusted_access_role_4 trust policy does not reference any services. ................................................................................ 232332322323
| | OK : iam_trusted_access_role_41 trust policy does not reference any services. ............................................................................... 232332322323
| | OK : iam_trusted_access_role_5 trust policy does not reference any services. ................................................................................ 232332322323
| | OK : iam_trusted_access_role_6 trust policy does not reference any services. ................................................................................ 232332322323
| | OK : iam_trusted_access_role_7 trust policy does not reference any services. ................................................................................ 232332322323
| | OK : iam_trusted_access_role_9 trust policy does not reference any services. ................................................................................ 232332322323
| | OK : my-sso-role trust policy does not reference any services. .............................................................................................. 232332322323
| | OK : resource-policy-analysis-role-1 trust policy grants access to 1 trusted service(s). .................................................................... 232332322323
| | OK : rexaac-assume-role trust policy does not reference any services. ....................................................................................... 232332322323
| | OK : test-admin-role trust policy does not reference any services. .......................................................................................... 232332322323
| | OK : test-amazon-1 trust policy does not reference any services. ............................................................................................ 232332322323
| | OK : test-aws-amazon-sub-type-1 trust policy does not reference any services. ............................................................................... 232332322323
| | OK : test-google-1 trust policy does not reference any services. ............................................................................................ 232332322323
| | OK : test-google-2 trust policy does not reference any services. ............................................................................................ 232332322323
| | OK : test-google-role trust policy does not reference any services. ......................................................................................... 232332322323
| | OK : test-messy-1 trust policy does not reference any services. ............................................................................................. 232332322323
| | OK : test-public-1 trust policy does not reference any services. ............................................................................................ 232332322323
| | OK : test-role-3 trust policy does not reference any services. .............................................................................................. 232332322323
| | OK : test-role-mulitple trust policy does not reference any services. ....................................................................................... 232332322323
| | OK : test-role-mulitple-2 trust policy does not reference any services. ..................................................................................... 232332322323
| | OK : test-role-org-1 trust policy does not reference any services. .......................................................................................... 232332322323
| | OK : test-role-org-2 trust policy does not reference any services. .......................................................................................... 232332322323
| | OK : test-role-org-3 trust policy does not reference any services. .......................................................................................... 232332322323
| | OK : test-role-org-4 trust policy does not reference any services. .......................................................................................... 232332322323
| | OK : test-role-org-5 trust policy does not reference any services. .......................................................................................... 232332322323
| | OK : test-role-public-2 trust policy grants access to 1 trusted service(s). ................................................................................. 232332322323
| | OK : test-role-self trust policy does not reference any services. ........................................................................................... 232332322323
| | OK : test-rubbish3 trust policy does not reference any services. ............................................................................................ 232332322323
| | OK : test-saml-role-1 trust policy does not reference any services. ......................................................................................... 232332322323
| | OK : test-service-role-6 trust policy grants access to 1 trusted service(s). ................................................................................ 232332322323
| | OK : test-steampipe-role-1 trust policy does not reference any services. .................................................................................... 232332322323
| | OK : test-web-identity-1 trust policy does not reference any services. ...................................................................................... 232332322323
| | OK : us-east-1_PtrpBLBqu-authRole trust policy does not reference any services. ............................................................................. 232332322323
| | OK : us-east-1_PtrpBLBqu_Full-access trust policy does not reference any services. .......................................................................... 232332322323
| | OK : us-east-1_PtrpBLBqu_Manage-only trust policy does not reference any services. .......................................................................... 232332322323
| | OK : us-east-1_u8mhp37to-authRole trust policy does not reference any services. ............................................................................. 232332322323
| | OK : us-east-1_u8mhp37to_Full-access trust policy does not reference any services. .......................................................................... 232332322323
| | OK : us-east-1_u8mhp37to_Manage-only trust policy does not reference any services. .......................................................................... 232332322323
| |
| + KMS key policies should prohibit untrusted organization access ....................................................................................... 0 / 0 [ ]
| |
| + Lambda function policies should prohibit untrusted organization access ............................................................................... 0 / 0 [ ]
| |
| + S3 bucket policies should prohibit untrusted organization access ..................................................................................... 0 / 1 [= ]
| | |
| | OK : omero-resource-policy-bucket trust policy does not reference any services. ................................................................... us-east-1 232332322323
| |
| + SNS topic policies should prohibit untrusted organization access ..................................................................................... 0 / 0 [ ]
| |
| + SQS queue policies should prohibit untrusted organization access ..................................................................................... 0 / 0 [ ]
|
+ Resource Policy Shared Indentity Providers Access ...................................................................................................... 18 / 93 [=== ]
|
+ ECR repository policies should prohibit access of untrusted identity providers ....................................................................... 0 / 2 [= ]
| |
| OK : omero-test-private trust policy does not reference any identity providers. ................................................................... us-east-1 232332322323
| OK : omero-test-pr
|
+ Glacier vault policies should prohibit access of untrusted identity providers ........................................................................ 0 / 0 [ ]
|
+ IAM role trust policies should prohibit access of untrusted identity providers ....................................................................... 17 / 89 [=== ]
| |
| ALARM: AWSReservedSSO_SSO-ReadOnly_7e9831f0c1810592 trust policy grants access to 1 untrusted identity provider: ["arn:aws:iam::232332322323:saml-provider/AWS… 232332322323
| ALARM: iam_trusted_access_role_30 trust policy grants access to 1 untrusted identity provider: ["arn:aws:iam::232332322323:saml-provider/AWSSSO_2d3ba2e36f2ba5… 232332322323
| ALARM: iam_trusted_access_role_5 trust policy grants access to 2 untrusted identity providers: ["arn:aws:iam::232332322323:saml-provider/SSO1_WITH_A_NAME", "a… 232332322323
| ALARM: iam_trusted_access_role_6 trust policy grants access to 1 untrusted identity provider: ["www.amazon.com"]. ............................................. 232332322323
| ALARM: iam_trusted_access_role_7 trust policy grants access to 1 untrusted identity provider: ["arn:aws:iam::232332322323:saml-provider/AWSSSO_2d3ba2e36f2ba5d… 232332322323
| ALARM: iam_trusted_access_role_8 trust policy grants access to 1 untrusted identity provider: ["arn:aws:iam::232332322323:saml-provider/AWSSSO_2d3ba2e36f2ba5d… 232332322323
| ALARM: my-sso-role trust policy grants access to 1 untrusted identity provider: ["arn:aws:iam::232332322323:saml-provider/AWSSSO_2d3ba2e36f2ba5d4_DO_NOT_DELET… 232332322323
| ALARM: test-amazon-1 trust policy grants access to 1 untrusted identity provider: ["www.amazon.com"]. ......................................................... 232332322323
| ALARM: test-aws-amazon-sub-type-1 trust policy grants access to 1 untrusted identity provider: ["arn:aws:iam::232332322323:saml-provider/AWSSSO_2d3ba2e36f2ba5… 232332322323
| ALARM: test-google-1 trust policy grants access to 1 untrusted identity provider: ["accounts.google.com"]. .................................................... 232332322323
| ALARM: test-google-2 trust policy grants access to 1 untrusted identity provider: ["accounts.google.com"]. .................................................... 232332322323
| ALARM: test-google-role trust policy grants access to 1 untrusted identity provider: ["accounts.google.com"]. ................................................. 232332322323
| ALARM: test-messy-1 trust policy grants access to 2 untrusted identity providers: ["arn:aws:iam::232332322323:saml-provider/AWSSSO_2d3ba2e36f2ba5d4_DO_NOT_DEL… 232332322323
| ALARM: test-role-3 trust policy grants access to 1 untrusted identity provider: ["arn:aws:iam::688720832404:saml-provider/provider-name"]. .................... 232332322323
| ALARM: test-rubbish3 trust policy grants access to 1 untrusted identity provider: ["accounts.google.com"]. .................................................... 232332322323
| ALARM: test-saml-role-1 trust policy grants access to 1 untrusted identity provider: ["arn:aws:iam::232332322323:saml-provider/AWSSSO_2d3ba2e36f2ba5d4_DO_NOT_… 232332322323
| ALARM: test-web-identity-1 trust policy grants access to 1 untrusted identity provider: ["accounts.google.com"]. .............................................. 232332322323
| OK : AWS-QuickSetup-StackSet-Local-AdministrationRole trust policy does not reference any identity providers. ............................................... 232332322323
| OK : AWS-QuickSetup-StackSet-Local-ExecutionRole trust policy does not reference any identity providers. .................................................... 232332322323
| OK : AWSServiceRoleForAccessAnalyzer trust policy does not reference any identity providers. ................................................................ 232332322323
| OK : AWSServiceRoleForBackup trust policy does not reference any identity providers. ........................................................................ 232332322323
| OK : AWSServiceRoleForCloudTrail trust policy does not reference any identity providers. .................................................................... 232332322323
| OK : AWSServiceRoleForComputeOptimizer trust policy does not reference any identity providers. .............................................................. 232332322323
| OK : AWSServiceRoleForConfig trust policy does not reference any identity providers. ........................................................................ 232332322323
| OK : AWSServiceRoleForApplicationAutoScaling_DynamoDBTable trust policy does not reference any identity providers. .......................................... 232332322323
| OK : AWSServiceRoleForECS trust policy does not reference any identity providers. ........................................................................... 232332322323
| OK : AWSServiceRoleForApplicationAutoScaling_ECSService trust policy does not reference any identity providers. ............................................. 232332322323
| OK : AWSServiceRoleForElastiCache trust policy does not reference any identity providers. ................................................................... 232332322323
| OK : AWSServiceRoleForElasticLoadBalancing trust policy does not reference any identity providers. .......................................................... 232332322323
| OK : AWSServiceRoleForGlobalAccelerator trust policy does not reference any identity providers. ............................................................. 232332322323
| OK : AWSServiceRoleForCloudFrontLogger trust policy does not reference any identity providers. .............................................................. 232332322323
| OK : AWSServiceRoleForAPIGateway trust policy does not reference any identity providers. .................................................................... 232332322323
| OK : AWSServiceRoleForOrganizations trust policy does not reference any identity providers. ................................................................. 232332322323
| OK : AWSServiceRoleForRDS trust policy does not reference any identity providers. ........................................................................... 232332322323
| OK : AWSServiceRoleForBackupReports trust policy does not reference any identity providers. ................................................................. 232332322323
| OK : AWSServiceRoleForSecurityHub trust policy does not reference any identity providers. ................................................................... 232332322323
| OK : AWSServiceRoleForAmazonSSM trust policy does not reference any identity providers. ..................................................................... 232332322323
| OK : AWSServiceRoleForSSO trust policy does not reference any identity providers. ........................................................................... 232332322323
| OK : AWSServiceRoleForSupport trust policy does not reference any identity providers. ....................................................................... 232332322323
| OK : ec2_s3_read_only trust policy does not reference any identity providers. ............................................................................... 232332322323
| OK : ec2_s3_read_only_2 trust policy does not reference any identity providers. ............................................................................. 232332322323
| OK : ec2_s3_read_only_3 trust policy does not reference any identity providers. ............................................................................. 232332322323
| OK : iam_trusted_access_role_1 trust policy grants access to 1 trusted identity provider(s). ................................................................ 232332322323
| OK : iam_trusted_access_role_10 trust policy does not reference any identity providers. ..................................................................... 232332322323
| OK : iam_trusted_access_role_2 trust policy does not reference any identity providers. ...................................................................... 232332322323
| OK : iam_trusted_access_role_20 trust policy does not reference any identity providers. ..................................................................... 232332322323
| OK : iam_trusted_access_role_3 trust policy does not reference any identity providers. ...................................................................... 232332322323
| OK : iam_trusted_access_role_4 trust policy does not reference any identity providers. ...................................................................... 232332322323
| OK : iam_trusted_access_role_41 trust policy does not reference any identity providers. ..................................................................... 232332322323
| OK : iam_trusted_access_role_9 trust policy does not reference any identity providers. ...................................................................... 232332322323
| OK : PublishFlowLogsToCloudWatchRole trust policy does not reference any identity providers. ................................................................ 232332322323
| OK : PublishToCloudWatchLogsRole trust policy does not reference any identity providers. .................................................................... 232332322323
| OK : resource-policy-analysis-role-1 trust policy does not reference any identity providers. ................................................................ 232332322323
| OK : rexaac-assume-role trust policy does not reference any identity providers. ............................................................................. 232332322323
| OK : AWSBackupDefaultServiceRole trust policy does not reference any identity providers. .................................................................... 232332322323
| OK : test-function-2-role-i16umoc8 trust policy does not reference any identity providers. .................................................................. 232332322323
| OK : test-function-3-role-ofc3xrg2 trust policy does not reference any identity providers. .................................................................. 232332322323
| OK : test-function-4-role-bjzyzpti trust policy does not reference any identity providers. .................................................................. 232332322323
| OK : test-function-role-ouk9m007 trust policy does not reference any identity providers. .................................................................... 232332322323
| OK : test-admin-role trust policy does not reference any identity providers. ................................................................................ 232332322323
| OK : test-aws-is-broken trust policy does not reference any identity providers. ............................................................................. 232332322323
| OK : test-public-1 trust policy does not reference any identity providers. .................................................................................. 232332322323
| OK : test-public-role-5 trust policy does not reference any identity providers. ............................................................................. 232332322323
| OK : test-role-2 trust policy grants access to 1 trusted identity provider(s). .............................................................................. 232332322323
| OK : test-role-mulitple trust policy does not reference any identity providers. ............................................................................. 232332322323
| OK : test-role-mulitple-2 trust policy does not reference any identity providers. ........................................................................... 232332322323
| OK : test-role-org-1 trust policy does not reference any identity providers. ................................................................................ 232332322323
| OK : test-role-org-2 trust policy does not reference any identity providers. ................................................................................ 232332322323
| OK : test-role-org-3 trust policy does not reference any identity providers. ................................................................................ 232332322323
| OK : test-role-org-4 trust policy does not reference any identity providers. ................................................................................ 232332322323
| OK : test-role-org-5 trust policy does not reference any identity providers. ................................................................................ 232332322323
| OK : test-role-public-2 trust policy does not reference any identity providers. ............................................................................. 232332322323
| OK : test-role-public-3 trust policy does not reference any identity providers. ............................................................................. 232332322323
| OK : test-role-public-4 trust policy does not reference any identity providers. ............................................................................. 232332322323
| OK : test-role-public-5 trust policy does not reference any identity providers. ............................................................................. 232332322323
| OK : test-role-self trust policy does not reference any identity providers. ................................................................................. 232332322323
| OK : test-service-role-1 trust policy does not reference any identity providers. ............................................................................ 232332322323
| OK : test-service-role-2 trust policy does not reference any identity providers. ............................................................................ 232332322323
| OK : test-service-role-3 trust policy does not reference any identity providers. ............................................................................ 232332322323
| OK : test-service-role-4 trust policy does not reference any identity providers. ............................................................................ 232332322323
| OK : test-service-role-5 trust policy does not reference any identity providers. ............................................................................ 232332322323
| OK : test-service-role-6 trust policy does not reference any identity providers. ............................................................................ 232332322323
| OK : test-steampipe-role-1 trust policy does not reference any identity providers. .......................................................................... 232332322323
| OK : us-east-1_PtrpBLBqu-authRole trust policy grants access to 1 trusted identity provider(s). ............................................................. 232332322323
| OK : us-east-1_PtrpBLBqu_Full-access trust policy grants access to 1 trusted identity provider(s). .......................................................... 232332322323
| OK : us-east-1_PtrpBLBqu_Manage-only trust policy grants access to 1 trusted identity provider(s). .......................................................... 232332322323
| OK : us-east-1_u8mhp37to-authRole trust policy grants access to 1 trusted identity provider(s). ............................................................. 232332322323
| OK : us-east-1_u8mhp37to_Full-access trust policy grants access to 1 trusted identity provider(s). .......................................................... 232332322323
| OK : us-east-1_u8mhp37to_Manage-only trust policy grants access to 1 trusted identity provider(s). .......................................................... 232332322323
|
+ KMS key policies should prohibit access of untrusted identity providers .............................................................................. 0 / 1 [= ]
| |
| OK : 62a473ea-2733-44eb-a626-352318acced6 trust policy does not reference any identity providers. ................................................. us-east-1 232332322323
|
+ Lambda function policies should prohibit access of untrusted identity providers ...................................................................... 0 / 1 [= ]
| |
| OK : test-function-4 trust policy does not reference any identity providers. ...................................................................... us-east-1 232332322323
|
+ S3 bucket policies should prohibit access of untrusted identity providers ............................................................................ 0 / 0 [ ]
|
+ SNS topic policies should prohibit access of untrusted identity providers ............................................................................ 0 / 1 [= ]
| |
| OK : Default_CloudWatch_Alarms_Topic trust policy does not reference any identity providers. ...................................................... us-east-1 232332322323
|
+ SQS queue policies should prohibit access of untrusted identity providers ............................................................................ 0 / 0 [ ]
Summary
OK .............................................................................................................................................................. 302 [======== ]
SKIP .............................................................................................................................................................. 0 [ ]
INFO .............................................................................................................................................................. 5 [= ]
ALARM ............................................................................................................................................................ 92 [=== ]
ERROR ............................................................................................................................................................. 2 [= ]
TOTAL ...................................................................................................................................................... 94 / 401 [==========]
omerosaienni@engineering ~/source-code/steampipe/steampipe-mod-aws-perimeter(updating-perimeter-mod-to-use-analyse-table)$
Public Access
omerosaienni@engineering ~/source-code/steampipe/steampipe-mod-aws-perimeter(updating-perimeter-mod-to-use-analyse-table)$ steampipe check benchmark.public_access
Public Access .............................................................................................................................................. 60 / 133 [==========]
|
+ Public Access Settings ................................................................................................................................... 3 / 34 [=== ]
| |
| + API Gateway APIs should prohibit public access ......................................................................................................... 0 / 0 [ ]
| |
| + Database Migration Service (DMS) replication instances should not be public ............................................................................ 0 / 0 [ ]
| |
| + EBS snapshots should not be publicly restorable ........................................................................................................ 0 / 6 [= ]
| | |
| | OK : snap-09c14fff2c4c1b36b not publicly restorable. ................................................................................................ us-east-1 123456789012
| | OK : snap-0e3cd6d751a0d274e not publicly restorable. ................................................................................................ us-east-1 123456789012
| | OK : snap-01c573b1f4ebad60f not publicly restorable. ................................................................................................ us-east-1 123456789012
| | OK : snap-0d052e9a6dc0b710b not publicly restorable. ................................................................................................ us-east-1 123456789012
| | OK : snap-02fb96ea75cc078ff not publicly restorable. ................................................................................................ us-east-1 123456789012
| | OK : snap-0263366219ef8e62d not publicly restorable. ................................................................................................ us-east-1 123456789012
| |
| + EC2 AMIs should not be shared publicly ................................................................................................................. 1 / 6 [== ]
| | |
| | ALARM: ami-public-instance-1 publicly accessible. ..................................................................................................... us-east-1 123456789012
| | OK : ami-private-image-1 not publicly accessible. ................................................................................................... us-east-1 123456789012
| | OK : ami-private-image-2 not publicly accessible. ................................................................................................... us-east-1 123456789012
| | OK : ami-private-image-3 not publicly accessible. ................................................................................................... us-east-1 123456789012
| | OK : ami-public-instance-2 not publicly accessible. ................................................................................................. us-east-1 123456789012
| | OK : ami-public-instance-3 not publicly accessible. ................................................................................................. us-east-1 123456789012
| |
| + EKS cluster endpoints should prohibit public access .................................................................................................... 0 / 0 [ ]
| |
| + RDS DB cluster snapshots should not be publicly restorable ............................................................................................. 0 / 0 [ ]
| |
| + RDS DB instances should prohibit public accesss ........................................................................................................ 0 / 0 [ ]
| |
| + RDS DB snapshots should not be publicly restorable ..................................................................................................... 0 / 0 [ ]
| |
| + Redshift clusters should prohibit public access ........................................................................................................ 0 / 0 [ ]
| |
| + S3 bucket ACLs should prohibit public read access ...................................................................................................... 0 / 7 [= ]
| | |
| | OK : config-bucket-111122223333 not publicly readable. .............................................................................................. us-east-1 111122223333
| | OK : test-omero-bucket-1 not publicly readable. ..................................................................................................... us-east-1 111122223333
| | OK : account-tags-test-bucket not publicly readable. ................................................................................................ us-east-1 111122223333
| | OK : my-test-bucket-errored not publicly readable. .................................................................................................. us-east-1 111122223333
| | OK : omero-cloudfront-test-bucket not publicly readable. ............................................................................................ us-east-1 111122223333
| | OK : aws-cloudtrail-logs-111122223333-84bb46df not publicly readable. ............................................................................... us-east-1 111122223333
| | OK : omero-resource-policy-bucket not publicly readable. ............................................................................................ us-east-1 111122223333
| |
| + S3 bucket ACLs should prohibit public write access ..................................................................................................... 0 / 7 [= ]
| | |
| | OK : config-bucket-111122223333 not publicly writable. .............................................................................................. us-east-1 111122223333
| | OK : test-omero-bucket-1 not publicly writable. ..................................................................................................... us-east-1 111122223333
| | OK : account-tags-test-bucket not publicly writable. ................................................................................................ us-east-1 111122223333
| | OK : my-test-bucket-errored not publicly writable. .................................................................................................. us-east-1 111122223333
| | OK : omero-cloudfront-test-bucket not publicly writable. ............................................................................................ us-east-1 111122223333
| | OK : aws-cloudtrail-logs-111122223333-84bb46df not publicly writable. ............................................................................... us-east-1 111122223333
| | OK : omero-resource-policy-bucket not publicly writable. ............................................................................................ us-east-1 111122223333
| |
| + S3 account settings should block public access ......................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Account level public access not enabled for: block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets. ........................ 111122223333
| |
| + S3 buckets should block public access at bucket level .................................................................................................. 1 / 7 [== ]
| | |
| | ALARM: omero-resource-policy-bucket not enabled for: block_public_policy, restrict_public_buckets. .................................................... us-east-1 111122223333
| | OK : account-tags-test-bucket all public access blocks enabled. ..................................................................................... us-east-1 111122223333
| | OK : config-bucket-111122223333 all public access blocks enabled. ................................................................................... us-east-1 111122223333
| | OK : test-omero-bucket-1 all public access blocks enabled. .......................................................................................... us-east-1 111122223333
| | OK : my-test-bucket-errored all public access blocks enabled. ....................................................................................... us-east-1 111122223333
| | OK : omero-cloudfront-test-bucket all public access blocks enabled. ................................................................................. us-east-1 111122223333
| | OK : aws-cloudtrail-logs-111122223333-84bb46df all public access blocks enabled. .................................................................... us-east-1 111122223333
| |
| + SageMaker notebook instances should be prohibited from direct internet access .......................................................................... 0 / 0 [ ]
|
+ Resource Policy Public Access ............................................................................................................................ 57 / 99 [======== ]
|
+ ECR repository policies should prohibit public access .................................................................................................. 1 / 2 [== ]
| |
| ALARM: omero-test-private-2 policy contains 1 statement that allow public access: [CodeBuildAccess]. .................................................. us-east-1 111122223333
| OK : omero-test-private policy does not allow public access. ........................................................................................ us-east-1 111122223333
|
+ Glacier vault policies should prohibit public access ................................................................................................... 0 / 0 [ ]
|
+ IAM role trust policies should prohibit public access .................................................................................................. 54 / 91 [======= ]
| |
| ALARM: AWS-QuickSetup-StackSet-Local-AdministrationRole policy contains 1 statement that allow public access: [Statement[1]]. ................................... 111122223333
| ALARM: AWSServiceRoleForAccessAnalyzer policy contains 1 statement that allow public access: [Statement[1]]. .................................................... 111122223333
| ALARM: AWSServiceRoleForAutoScaling policy contains 1 statement that allow public access: [Statement[1]]. ....................................................... 111122223333
| ALARM: AWSServiceRoleForBackup policy contains 1 statement that allow public access: [Statement[1]]. ............................................................ 111122223333
| ALARM: AWSServiceRoleForCloudTrail policy contains 1 statement that allow public access: [Statement[1]]. ........................................................ 111122223333
| ALARM: AWSServiceRoleForComputeOptimizer policy contains 1 statement that allow public access: [Statement[1]]. .................................................. 111122223333
| ALARM: AWSServiceRoleForConfig policy contains 1 statement that allow public access: [Statement[1]]. ............................................................ 111122223333
| ALARM: AWSServiceRoleForApplicationAutoScaling_DynamoDBTable policy contains 1 statement that allow public access: [Statement[1]]. .............................. 111122223333
| ALARM: AWSServiceRoleForECS policy contains 1 statement that allow public access: [Statement[1]]. ............................................................... 111122223333
| ALARM: AWSServiceRoleForApplicationAutoScaling_ECSService policy contains 1 statement that allow public access: [Statement[1]]. ................................. 111122223333
| ALARM: AWSServiceRoleForElastiCache policy contains 1 statement that allow public access: [Statement[1]]. ....................................................... 111122223333
| ALARM: AWSServiceRoleForElasticLoadBalancing policy contains 1 statement that allow public access: [Statement[1]]. .............................................. 111122223333
| ALARM: AWSServiceRoleForGlobalAccelerator policy contains 1 statement that allow public access: [Statement[1]]. ................................................. 111122223333
| ALARM: AWSServiceRoleForCloudFrontLogger policy contains 1 statement that allow public access: [Statement[1]]. .................................................. 111122223333
| ALARM: AWSServiceRoleForAPIGateway policy contains 1 statement that allow public access: [Statement[1]]. ........................................................ 111122223333
| ALARM: AWSServiceRoleForOrganizations policy contains 1 statement that allow public access: [Statement[1]]. ..................................................... 111122223333
| ALARM: AWSServiceRoleForRDS policy contains 1 statement that allow public access: [Statement[1]]. ............................................................... 111122223333
| ALARM: AWSServiceRoleForBackupReports policy contains 1 statement that allow public access: [Statement[1]]. ..................................................... 111122223333
| ALARM: AWSServiceRoleForSecurityHub policy contains 1 statement that allow public access: [Statement[1]]. ....................................................... 111122223333
| ALARM: AWSServiceRoleForAmazonSSM policy contains 1 statement that allow public access: [Statement[1]]. ......................................................... 111122223333
| ALARM: AWSServiceRoleForSSO policy contains 1 statement that allow public access: [Statement[1]]. ............................................................... 111122223333
| ALARM: AWSServiceRoleForSupport policy contains 1 statement that allow public access: [Statement[1]]. ........................................................... 111122223333
| ALARM: AWSServiceRoleForTrustedAdvisor policy contains 1 statement that allow public access: [Statement[1]]. .................................................... 111122223333
| ALARM: ec2_s3_read_only policy contains 1 statement that allow public access: [Statement[1]]. ................................................................... 111122223333
| ALARM: ec2_s3_read_only_2 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................. 111122223333
| ALARM: ec2_s3_read_only_3 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................. 111122223333
| ALARM: iam_trusted_access_role_1 policy contains 1 statement that allow public access: [Statement[3]]. .......................................................... 111122223333
| ALARM: iam_trusted_access_role_5 policy contains 1 statement that allow public access: [Statement[1]]. .......................................................... 111122223333
| ALARM: PublishFlowLogsToCloudWatchRole policy contains 1 statement that allow public access: [Statement[1]]. .................................................... 111122223333
| ALARM: PublishToCloudWatchLogsRole policy contains 1 statement that allow public access: [Statement[1]]. ........................................................ 111122223333
| ALARM: resource-policy-analysis-role-1 policy contains 1 statement that allow public access: [Statement[1]]. .................................................... 111122223333
| ALARM: AWSBackupDefaultServiceRole policy contains 1 statement that allow public access: [Statement[1]]. ........................................................ 111122223333
| ALARM: test-function-2-role-i16umoc8 policy contains 1 statement that allow public access: [Statement[1]]. ...................................................... 111122223333
| ALARM: test-function-3-role-ofc3xrg2 policy contains 1 statement that allow public access: [Statement[1]]. ...................................................... 111122223333
| ALARM: test-function-4-role-bjzyzpti policy contains 1 statement that allow public access: [Statement[1]]. ...................................................... 111122223333
| ALARM: test-function-role-ouk9m007 policy contains 1 statement that allow public access: [Statement[1]]. ........................................................ 111122223333
| ALARM: test-aws-is-broken policy contains 1 statement that allow public access: [Statement[1]]. ................................................................. 111122223333
| ALARM: test-messy-1 policy contains 1 statement that allow public access: [Statement[1]]. ....................................................................... 111122223333
| ALARM: test-public-1 policy contains 1 statement that allow public access: [Statement[1]]. ...................................................................... 111122223333
| ALARM: test-public-role-5 policy contains 3 statement that allow public access: [Statement[1], Statement[2], and 1 more]. ....................................... 111122223333
| ALARM: test-role-2 policy contains 1 statement that allow public access: [Statement[1]]. ........................................................................ 111122223333
| ALARM: test-role-3 policy contains 1 statement that allow public access: [Statement[1]]. ........................................................................ 111122223333
| ALARM: test-role-org-4 policy contains 1 statement that allow public access: [Statement[1]]. .................................................................... 111122223333
| ALARM: test-role-public-2 policy contains 2 statement that allow public access: [Statement[1], Statement[2]]. ................................................... 111122223333
| ALARM: test-role-public-3 policy contains 3 statement that allow public access: [Statement[1], Statement[2], and 1 more]. ....................................... 111122223333
| ALARM: test-role-public-4 policy contains 3 statement that allow public access: [Statement[1], Statement[2], and 1 more]. ....................................... 111122223333
| ALARM: test-role-public-5 policy contains 4 statement that allow public access: [Statement[1], Statement[2], and 2 more]. ....................................... 111122223333
| ALARM: test-service-role-1 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-service-role-2 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-service-role-3 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-service-role-4 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-service-role-5 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-service-role-6 policy contains 1 statement that allow public access: [Statement[1]]. ................................................................ 111122223333
| ALARM: test-steampipe-role-1 policy contains 1 statement that allow public access: [Statement[1]]. .............................................................. 111122223333
| OK : AWS-QuickSetup-StackSet-Local-ExecutionRole policy does not allow public access. ......................................................................... 111122223333
| OK : AWSReservedSSO_SSO-Admin_ce6cf919091b63ee policy does not allow public access. ........................................................................... 111122223333
| OK : AWSReservedSSO_SSO-ReadOnly_7e9831f0c1810592 policy does not allow public access. ........................................................................ 111122223333
| OK : iam_trusted_access_role_10 policy does not allow public access. .......................................................................................... 111122223333
| OK : iam_trusted_access_role_2 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_20 policy does not allow public access. .......................................................................................... 111122223333
| OK : iam_trusted_access_role_3 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_30 policy does not allow public access. .......................................................................................... 111122223333
| OK : iam_trusted_access_role_4 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_41 policy does not allow public access. .......................................................................................... 111122223333
| OK : iam_trusted_access_role_6 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_7 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_8 policy does not allow public access. ........................................................................................... 111122223333
| OK : iam_trusted_access_role_9 policy does not allow public access. ........................................................................................... 111122223333
| OK : rexaac-assume-role policy does not allow public access. .................................................................................................. 111122223333
| OK : test-admin-role policy does not allow public access. ..................................................................................................... 111122223333
| OK : test-amazon-1 policy does not allow public access. ....................................................................................................... 111122223333
| OK : test-aws-amazon-sub-type-1 policy does not allow public access. .......................................................................................... 111122223333
| OK : test-google-1 policy does not allow public access. ....................................................................................................... 111122223333
| OK : test-google-2 policy does not allow public access. ....................................................................................................... 111122223333
| OK : test-google-role policy does not allow public access. .................................................................................................... 111122223333
| OK : test-role-mulitple policy does not allow public access. .................................................................................................. 111122223333
| OK : test-role-mulitple-2 policy does not allow public access. ................................................................................................ 111122223333
| OK : test-role-org-1 policy does not allow public access. ..................................................................................................... 111122223333
| OK : test-role-org-2 policy does not allow public access. ..................................................................................................... 111122223333
| OK : test-role-org-3 policy does not allow public access. ..................................................................................................... 111122223333
| OK : test-role-org-5 policy does not allow public access. ..................................................................................................... 111122223333
| OK : test-role-self policy does not allow public access. ...................................................................................................... 111122223333
| OK : test-rubbish3 policy does not allow public access. ....................................................................................................... 111122223333
| OK : test-saml-role-1 policy does not allow public access. .................................................................................................... 111122223333
| OK : test-web-identity-1 policy does not allow public access. ................................................................................................. 111122223333
| OK : us-east-1_PtrpBLBqu-authRole policy does not allow public access. ........................................................................................ 111122223333
| OK : us-east-1_PtrpBLBqu_Full-access policy does not allow public access. ..................................................................................... 111122223333
| OK : us-east-1_PtrpBLBqu_Manage-only policy does not allow public access. ..................................................................................... 111122223333
| OK : us-east-1_u8mhp37to-authRole policy does not allow public access. ........................................................................................ 111122223333
| OK : us-east-1_u8mhp37to_Full-access policy does not allow public access. ..................................................................................... 111122223333
| OK : us-east-1_u8mhp37to_Manage-only policy does not allow public access. ..................................................................................... 111122223333
|
+ KMS key policies should prohibit public access ......................................................................................................... 1 / 1 [= ]
| |
| ALARM: 62a473ea-2733-44eb-a626-352318acced6 policy contains 5 statement that allow public access: [Allow CloudTrail to describe key, Allow CloudTrail … us-east-1 111122223333
|
+ Lambda function policies should prohibit public access ................................................................................................. 0 / 3 [= ]
| |
| OK : test-function policy does not allow public access. ............................................................................................. us-east-1 111122223333
| OK : test-function-3 policy does not allow public access. ........................................................................................... us-east-1 111122223333
| OK : test-function-4 policy does not allow public access. ........................................................................................... us-east-1 111122223333
|
+ S3 bucket policies should prohibit public access ....................................................................................................... 0 / 1 [= ]
| |
| OK : omero-cloudfront-test-bucket policy does not allow public access. .............................................................................. us-east-1 111122223333
|
+ SNS topic policies should prohibit public access ....................................................................................................... 1 / 1 [= ]
| |
| ALARM: Default_CloudWatch_Alarms_Topic policy contains 1 statement that allow public access: [__default_statement_ID]. ................................ us-east-1 111122223333
|
+ SQS queue policies should prohibit public access ....................................................................................................... 0 / 0 [ ]
Summary
OK ............................................................................................................................................................... 73 [====== ]
SKIP .............................................................................................................................................................. 0 [ ]
INFO .............................................................................................................................................................. 0 [ ]
ALARM ............................................................................................................................................................ 60 [===== ]
ERROR ............................................................................................................................................................. 0 [ ]
TOTAL ...................................................................................................................................................... 60 / 133 [==========]
omerosaienni@engineering ~/source-code/steampipe/steampipe-mod-aws-perimeter(updating-perimeter-mod-to-use-analyse-table)$
'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
'This PR was closed because it has been stalled for 90 days with no activity.'