### Install Powerpipe and AWS Compliance Mod Source: https://context7.com/turbot/steampipe-mod-aws-compliance/llms.txt Commands to install the necessary CLI tools, initialize a workspace, and download the AWS compliance mod from GitHub. ```shell brew install turbot/tap/powerpipe brew install turbot/tap/steampipe steampipe plugin install aws mkdir dashboards && cd dashboards powerpipe mod init powerpipe mod install github.com/turbot/steampipe-mod-aws-compliance steampipe service start powerpipe server ``` -------------------------------- ### Create and Start AWS Config Delivery Channel Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_v600/docs/cis_v600_4_3.md Commands to create a delivery channel from a JSON file and start the configuration recorder service. ```bash aws configservice put-delivery-channel --delivery-channel file://.json aws configservice start-configuration-recorder --configuration-recorder-name ``` -------------------------------- ### Start Powerpipe Server Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/README.md Starts the Powerpipe dashboard server. Once running, dashboards and checks can be accessed via a web browser at http://localhost:9033. ```bash powerpipe server ``` -------------------------------- ### Install Powerpipe using Brew Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/README.md Installs the Powerpipe CLI tool using the Homebrew package manager. This is a prerequisite for using the AWS Compliance Mod. ```bash brew install turbot/tap/powerpipe ``` -------------------------------- ### Configure Variables using powerpipe.ppvars Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/README.md Copies an example variables file and allows for manual editing to configure common and tag dimensions for benchmark queries. This is the recommended method for setting up variables. ```bash cp powerpipe.ppvars.example powerpipe.ppvars vi powerpipe.ppvars ``` -------------------------------- ### GET /lightsail/get-bucket-bundles Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_compute_service_v100/docs/cis_compute_service_v100_3_8.md Retrieves the available storage bundle configurations for Lightsail buckets. ```APIDOC ## GET /lightsail/get-bucket-bundles ### Description Retrieves a list of available storage bundle IDs, including pricing and capacity details, to be used when creating buckets. ### Method GET ### Endpoint /lightsail/get-bucket-bundles ### Response #### Success Response (200) - **bundles** (array) - A list of available storage bundles. #### Response Example { "bundles": [ { "bundleId": "small_1_0", "name": "Object Storage 5GB", "price": 1.0, "storagePerMonthInGb": 5 } ] } ``` -------------------------------- ### Execute AWS CLI Commands for VPC Flow Logs Setup Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_v600/docs/cis_v600_4_7.md A series of AWS CLI commands to create IAM roles, attach policies, list VPCs, and enable flow logs for specific VPC resources. ```bash aws iam create-role --role-name --assume-role-policydocument file: role_policy_document.json aws iam create-policy --policy-name --policy-document file://iam-policy.json aws iam attach-group-policy --policy-arn arn:aws:iam:::policy/ --group-name aws ec2 describe-vpcs --region aws ec2 create-flow-logs --resource-type VPC --resource-ids -- traffic-type REJECT --log-group-name --deliver-logspermission-arn ``` -------------------------------- ### Enable S3 Bucket Logging via AWS CLI Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_v600/docs/cis_v600_4_4.md This snippet demonstrates how to enable server access logging for an S3 bucket using the AWS CLI. It involves first describing existing trails to get the S3 bucket name, then creating a JSON configuration file for logging parameters, and finally applying these settings using the 'put-bucket-logging' command. Ensure you replace placeholders like '', '', '', and '' with your specific values. ```bash aws cloudtrail describe-trails --region --query trailList[*].S3BucketName ``` ```json { "LoggingEnabled": { "TargetBucket": "", "TargetPrefix": "", "TargetGrants": [ { "Grantee": { "Type": "AmazonCustomerByEmail", "EmailAddress": "" }, "Permission": "FULL_CONTROL" } ] } } ``` ```bash aws s3api put-bucket-logging --bucket --bucket-logging-status file://.json ``` -------------------------------- ### Get and Put S3 Bucket Policy using AWS CLI (Bash) Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_v600/docs/cis_v600_3_1_1.md These bash commands demonstrate how to retrieve an existing S3 bucket policy using `aws s3api get-bucket-policy` and then apply a modified policy back to the bucket using `aws s3api put-bucket-policy`. This is useful for programmatic management of bucket policies. Replace `` with your bucket's name. ```bash aws s3api get-bucket-policy --bucket --query Policy --output text > policy.json ``` ```bash aws s3api put-bucket-policy --bucket --policy file://policy.json ``` -------------------------------- ### Enable Detailed Monitoring for EC2 Instances using AWS CLI Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_compute_service_v100/docs/cis_compute_service_v100_2_6.md This command enables detailed monitoring for specified EC2 instances. It requires the AWS CLI to be installed and configured. The command takes instance IDs as input and initiates the monitoring process, which may take a few minutes to become active. ```bash aws ec2 monitor-instances --instance-ids ``` -------------------------------- ### Install AWS Compliance Mod Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/README.md Installs the AWS Compliance Mod for Powerpipe. This involves creating a dashboards directory, initializing Powerpipe, and then installing the mod from its GitHub repository. ```bash mkdir dashboards cd dashboards powerpipe mod init powerpipe mod install github.com/turbot/steampipe-mod-aws-compliance ``` -------------------------------- ### Start Steampipe Service Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/README.md Starts the Steampipe service, which provides the data source for Powerpipe and the AWS Compliance Mod. This command must be run before starting the Powerpipe server or terminal commands. ```bash steampipe service start ``` -------------------------------- ### List Available Benchmarks Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/README.md Lists all available benchmarks that can be run using the Powerpipe CLI. This command helps identify which compliance checks are available. ```bash powerpipe benchmark list ``` -------------------------------- ### Execute CIS v6.0.0 Compliance Benchmarks Source: https://context7.com/turbot/steampipe-mod-aws-compliance/llms.txt Commands to list, run, and export results for the CIS AWS Foundations Benchmark v6.0.0, supporting various output formats like JSON and HTML. ```shell powerpipe benchmark list powerpipe benchmark run aws_compliance.benchmark.cis_v600 powerpipe benchmark run aws_compliance.benchmark.cis_v600_2 powerpipe benchmark run aws_compliance.benchmark.cis_v600 --output json > cis_results.json powerpipe benchmark run aws_compliance.benchmark.cis_v600 --output html > cis_report.html ``` -------------------------------- ### Configure Benchmark Dimensions Source: https://context7.com/turbot/steampipe-mod-aws-compliance/llms.txt Demonstrates how to customize benchmark queries by setting common and tag dimensions. This allows for more granular reporting across multi-account AWS environments. Variables can be passed via a file, command line, or environment variables. ```bash # Create variables file from example cp powerpipe.ppvars.example powerpipe.ppvars # Example powerpipe.ppvars content: # common_dimensions = ["account_id", "region"] tag_dimensions = ["Environment", "Owner", "CostCenter"] # lambda_latest_runtimes = ["nodejs20.x", "python3.12", "java21"] # Pass variables via command line powerpipe benchmark run aws_compliance.benchmark.cis_v600 \ --var 'common_dimensions=["account_id", "connection_name", "region"]' \ --var 'tag_dimensions=["Environment", "Owner"]' # Pass variables via environment export PP_VAR_common_dimensions='["account_id", "connection_name", "region"]' export PP_VAR_tag_dimensions='["Environment", "Owner"]' powerpipe benchmark run aws_compliance.benchmark.cis_v600 ``` -------------------------------- ### Install Steampipe and AWS Plugin using Brew Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/README.md Installs the Steampipe CLI tool and the AWS plugin using Homebrew. Steampipe is required as a data source for the AWS Compliance Mod. ```bash brew install turbot/tap/steampipe steampipe plugin install aws ``` -------------------------------- ### GET /aws/lightsail/get-instance-port-states Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_compute_service_v100/docs/cis_compute_service_v100_3_5.md Retrieves the current port state and CIDR restrictions for a specific Lightsail instance. ```APIDOC ## GET /aws/lightsail/get-instance-port-states ### Description Fetches the current configuration of open ports and associated CIDR blocks for a given instance. ### Method GET ### Endpoint /aws/lightsail/get-instance-port-states ### Parameters #### Query Parameters - **instance-name** (string) - Required - The name of the instance to query. ### Request Example GET /aws/lightsail/get-instance-port-states?instance-name=my-instance ### Response #### Success Response (200) - **portStates** (array) - List of objects containing port, protocol, and cidrs. #### Response Example { "portStates": [ { "fromPort": 3389, "toPort": 3389, "protocol": "tcp", "state": "open", "cidrs": ["110.111.221.100/32"] } ] } ``` -------------------------------- ### Create RDS Database Snapshot Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_v600/docs/cis_v600_3_2_1.md Initiates a snapshot of an existing RDS database instance for backup or migration purposes. ```bash aws rds create-db-snapshot --region --db-snapshot-identifier --db-instance-identifier ``` -------------------------------- ### Get Lightsail Instance Port States via AWS CLI Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_compute_service_v100/docs/cis_compute_service_v100_3_4.md This command retrieves the current public port settings for a Lightsail instance, useful for verifying access rules. ```APIDOC ## Get Lightsail Instance Port States via AWS CLI ### Description This command retrieves the current state of public ports for a Lightsail instance, including the allowed IP address ranges (CIDRs) for each open port. ### Method AWS CLI Command ### Endpoint `aws lightsail get-instance-port-states` ### Parameters #### Path Parameters None #### Query Parameters **--instance-name** (string) - Required - The name of the Lightsail instance. #### Request Body None ### Request Example ```bash aws lightsail get-instance-port-states --instance-name ``` ### Response #### Success Response (200) - **portStates** (array) - A list of port state objects. - **fromPort** (integer) - The starting port number. - **toPort** (integer) - The ending port number. - **protocol** (string) - The protocol (e.g., "tcp"). - **state** (string) - The state of the port (e.g., "open"). - **cidrs** (array of strings) - A list of CIDR blocks allowed to access the port. - **cidrListAliases** (array of strings) - Aliases for the CIDR blocks. #### Response Example ```json { "portStates": [ { "fromPort": 22, "toPort": 22, "protocol": "tcp", "state": "open", "cidrs": [ "110.111.221.100/32", "110.111.221.202/32" ], "cidrListAliases": [] } ] } ``` ``` -------------------------------- ### List Available Lightsail Bucket Bundles Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_compute_service_v100/docs/cis_compute_service_v100_3_8.md Retrieves a list of available bucket bundles, including their storage capacity, pricing, and bundle IDs. Use this to determine the appropriate bundle ID for your storage requirements. ```bash aws lightsail get-bucket-bundles ``` -------------------------------- ### Create AWS Config Configuration Recorder Source: https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/cis_v600/docs/cis_v600_4_3.md Uses the AWS CLI to initialize a configuration recorder. This command sets the recording group to include all supported resources and global resource types. ```bash aws configservice put-configuration-recorder --configuration-recorder name=,roleARN=arn:aws:iam:::role/ --recording-group allSupported=true,includeGlobalResourceTypes=true ```