{"id":18995549,"url":"https://github.com/turbot/flowpipe-mod-aws-compliance","last_synced_at":"2025-07-30T12:33:06.148Z","repository":{"id":259240555,"uuid":"778884465","full_name":"turbot/flowpipe-mod-aws-compliance","owner":"turbot","description":"Run pipelines to detect and correct AWS resources that are non-compliant with common security checks.","archived":false,"fork":false,"pushed_at":"2024-11-28T07:57:39.000Z","size":1241,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-07-01T07:08:36.852Z","etag":null,"topics":["aws","compliance","correct","detect","flowpipe","flowpipe-mod","hcl","low-code","security"],"latest_commit_sha":null,"homepage":"https://hub.flowpipe.io/mods/turbot/aws_compliance","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/turbot.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-03-28T15:45:31.000Z","updated_at":"2024-12-17T08:20:40.000Z","dependencies_parsed_at":"2024-10-23T20:12:05.745Z","dependency_job_id":"91a3c28d-7d3f-442f-b3c3-4beb6a6ffba8","html_url":"https://github.com/turbot/flowpipe-mod-aws-compliance","commit_stats":null,"previous_names":["turbot/flowpipe-mod-aws-compliance"],"tags_count":26,"template":false,"template_full_name":null,"purl":"pkg:github/turbot/flowpipe-mod-aws-compliance","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turbot%2Fflowpipe-mod-aws-compliance","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turbot%2Fflowpipe-mod-aws-compliance/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turbot%2Fflowpipe-mod-aws-compliance/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turbot%2Fflowpipe-mod-aws-compliance/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/turbot","download_url":"https://codeload.github.com/turbot/flowpipe-mod-aws-compliance/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turbot%2Fflowpipe-mod-aws-compliance/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267867803,"owners_count":24157357,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-30T02:00:09.044Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","compliance","correct","detect","flowpipe","flowpipe-mod","hcl","low-code","security"],"created_at":"2024-11-08T17:31:34.990Z","updated_at":"2025-07-30T12:33:06.110Z","avatar_url":"https://github.com/turbot.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Compliance Mod for Flowpipe\n\nPipelines to detect and remediate misconfigurations in AWS resources.\n\n## Documentation\n\n- **[Pipelines →](https://hub.flowpipe.io/mods/turbot/aws_compliance/pipelines)**\n\n## Getting Started\n\n### Requirements\n\nDocker daemon must be installed and running. Please see [Install Docker Engine](https://docs.docker.com/engine/install/) for more information.\n\n### Installation\n\nDownload and install Flowpipe (https://flowpipe.io/downloads) and Steampipe (https://steampipe.io/downloads). Or use Brew:\n\n```sh\nbrew install turbot/tap/flowpipe\nbrew install turbot/tap/steampipe\n```\n\nInstall the AWS plugin with [Steampipe](https://steampipe.io):\n\n```sh\nsteampipe plugin install aws\n```\n\nSteampipe will automatically use your default AWS credentials. Optionally, you can [setup multiple accounts](https://hub.steampipe.io/plugins/turbot/aws#multi-account-connections) or [customize AWS credentials](https://hub.steampipe.io/plugins/turbot/aws#configuring-aws-credentials).\n\nCreate a `connection_import` resource to import your Steampipe AWS connections:\n\n```sh\nvi ~/.flowpipe/config/aws.fpc\n```\n\n```hcl\nconnection_import \"aws\" {\n  source      = \"~/.steampipe/config/aws.spc\"\n  connections = [\"*\"]\n}\n```\n\nFor more information on importing connections, please see [Connection Import](https://flowpipe.io/docs/reference/config-files/connection_import).\n\nFor more information on connections in Flowpipe, please see [Managing Connections](https://flowpipe.io/docs/run/connections).\n\nInstall the mod:\n\n```sh\nmkdir aws-compliance\ncd aws-compliance\nflowpipe mod install github.com/turbot/flowpipe-mod-aws-compliance\n```\n\n### Running Detect and Correct Pipelines\n\nTo run your first detection, you'll need to ensure your Steampipe server is up and running:\n\n```sh\nsteampipe service start\n```\n\nTo find your desired detection, you can filter the `pipeline list` output:\n\n```sh\nflowpipe pipeline list | grep \"detect_and_correct\"\n```\n\nThen run your chosen pipeline:\n\n```sh\nflowpipe pipeline run aws_compliance.pipeline.detect_and_correct_s3_buckets_with_block_public_access_disabled\n```\n\nThis will then run the pipeline and depending on your configured running mode; perform the relevant action(s), there are 3 running modes:\n- Wizard\n- Notify\n- Automatic\n\n#### Wizard\n\nThis is the `default` running mode, allowing for a hands-on approach to approving changes to resources by prompting for [input](https://flowpipe.io/docs/build/input) for each detected resource.\n\nWhilst the out of the box default is to run the workflow directly in the terminal. You can use Flowpipe [server](https://flowpipe.io/docs/run/server) and [external integrations](https://flowpipe.io/docs/build/input#create-an-integration) to prompt in `http`, `slack`, `teams`, etc.\n\n#### Notify\n\nThis mode as the name implies is used purely to report detections via notifications either directly to your terminal when running in client mode or via another configured [notifier](https://flowpipe.io/docs/reference/config-files/notifier) when running in server mode for each detected resource.\n\nTo run in `notify` mode, you will need to set the `approvers` variable to an empty list `[]` and ensure the resource-specific `default_action` variable is set to `notify`, either in your `flowpipe.fpvars` file:\n\n```hcl\napprovers = []\ns3_buckets_with_block_public_access_disabled_default_action = \"notify\"\n```\n\nor pass the `approvers` and `default_action` arguments on the command-line.\n\n```sh\nflowpipe pipeline run aws_compliance.pipeline.detect_and_correct_s3_buckets_with_block_public_access_disabled --arg='default_action=notify' --arg='approvers=[]'\n```\n\n#### Automatic\n\nThis behavior allows for a hands-off approach to remediating resources.\n\nTo run in `automatic` mode, you will need to set the `approvers` variable to an empty list `[]` and the the resource-specific `default_action` variable to one of the available options in your `flowpipe.fpvars` file:\n\n```hcl\napprovers = []\ns3_buckets_with_block_public_access_disabled_default_action = \"block_public_access\"\n```\n\nor pass the `approvers` and `default_action` argument on the command-line.\n\n```sh\nflowpipe pipeline run aws_compliance.pipeline.detect_and_correct_s3_buckets_with_block_public_access_disabled --arg='approvers=[] --arg='default_action=block_public_access'\n```\n\nTo further enhance this approach, you can enable the pipelines corresponding [query trigger](#running-query-triggers) to run completely hands-off.\n\n### Running Query Triggers\n\n\u003e Note: Query triggers require Flowpipe running in [server](https://flowpipe.io/docs/run/server) mode.\n\nEach `detect_and_correct` pipeline comes with a corresponding [Query Trigger](https://flowpipe.io/docs/flowpipe-hcl/trigger/query), these are _disabled_ by default allowing for you to _enable_ and _schedule_ them as desired.\n\nLet's begin by looking at how to set-up a Query Trigger to automatically resolve our S3 buckets that do not block public access.\n\nFirsty, we need to update our `flowpipe.fpvars` file to add or update the following variables - if we want to run our remediation `hourly` and automatically `apply` the corrections:\n\n```hcl\ns3_buckets_with_block_public_access_disabled_trigger_enabled  = true\ns3_buckets_with_block_public_access_disabled_trigger_schedule = \"1h\"\ns3_buckets_with_block_public_access_disabled_default_action   = \"block_public_access\"\n```\n\nNow we'll need to start up our Flowpipe server:\n\n```sh\nflowpipe server\n```\n\nThis will run every hour and detect S3 buckets that do not block public access and apply the corrections without further interaction!\n\n### Configure Variables\n\nSeveral pipelines have [input variables](https://flowpipe.io/docs/build/mod-variables#input-variables) that can be configured to better match your environment and requirements.\n\nEach variable has a default defined in its source file, e.g, `s3/s3_buckets_with_default_encryption_disabled.fp` (or `variables.fp` for more generic variables), but these can be overwritten in several ways:\n\nThe easiest approach is to setup your `flowpipe.fpvars` file, starting with the sample:\n\n```sh\ncp flowpipe.fpvars.example flowpipe.fpvars\nvi flowpipe.fpvars\n\nflowpipe pipeline run aws_compliance.pipeline.detect_and_correct_s3_buckets_with_block_public_access_disabled\n```\n\nAlternatively, you can pass variables on the command line:\n\n```sh\nflowpipe pipeline run aws_compliance.pipeline.detect_and_correct_s3_buckets_with_block_public_access_disabled --var notifier=notifier.default\n```\n\nOr through environment variables:\n\n```sh\nexport FP_VAR_notifier=\"notifier.default\"\nflowpipe pipeline run aws_compliance.pipeline.detect_and_correct_s3_buckets_with_block_public_access_disabled\n```\n\nFor more information, please see [Passing Input Variables](https://flowpipe.io/docs/build/mod-variables#passing-input-variables)\n\nFinally, each detection pipeline has a corresponding [Query Trigger](https://flowpipe.io/docs/flowpipe-hcl/trigger/query), these are disabled by default allowing for you to configure only those which are required, see the [docs](https://hub.flowpipe.io/mods/turbot/aws_compliance/triggers) for more information.\n\n## Open Source \u0026 Contributing\n\nThis repository is published under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0). Please see our [code of conduct](https://github.com/turbot/.github/blob/main/CODE_OF_CONDUCT.md). We look forward to collaborating with you!\n\n[Flowpipe](https://flowpipe.io) and [Steampipe](https://steampipe.io) are products produced from this open source software, exclusively by [Turbot HQ, Inc](https://turbot.com). They are distributed under our commercial terms. Others are allowed to make their own distribution of the software, but cannot use any of the Turbot trademarks, cloud services, etc. You can learn more in our [Open Source FAQ](https://turbot.com/open-source).\n\n## Get Involved\n\n**[Join #flowpipe on Slack →](https://turbot.com/community/join)**\n\nWant to help but don't know where to start? Pick up one of the `help wanted` issues:\n\n- [Flowpipe](https://github.com/turbot/flowpipe/labels/help%20wanted)\n- [AWS Compliance Mod](https://github.com/turbot/flowpipe-mod-aws-compliance/labels/help%20wanted)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fturbot%2Fflowpipe-mod-aws-compliance","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fturbot%2Fflowpipe-mod-aws-compliance","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fturbot%2Fflowpipe-mod-aws-compliance/lists"}