Powerpipe Detection Mods →
DocsHubBlogChangelogSlack CommunityGitHub

Custom Controls

Many controls and benchmarks are available in mods on the Powerpipe Hub. But if these don't meet your needs, Powerpipe makes it easy to create your own controls and benchmarks that are important to you and your organization, and organize them in a way that reflects your organization's standards and practices.

Tutorial

Let's walk through building a simple benchmark that will introduce the key concepts as we go along.

Prerequisites

For this tutorial, we'll be using Steampipe with the AWS plugin:

  1. Download and install Powerpipe for your platform.
  2. Download and install Steampipe for your platform.
  3. Install and configure the latest AWS plugin.
  4. Start the Steampipe database service (steampipe service start)

Create a mod

Powerpipe resources are packaged into mods. First, create a mod for your controls and benchmarks.

Create a Control

Now let's create a control. Create a new file in the folder called untagged.pp and paste in the following code:

This snippet defines a control named s3_untagged, including an SQL query to find untagged S3 buckets. Note that the query returns the required control columns (resource, status, and reason), as well as additional columns, or dimensions, to provide context that is specific to AWS (region, account_id).

Now let's run our control:

Controls provide an easy-to-use mechanism for auditing your environment with Powerpipe. Benchmarks allow you to group and organize your controls. Let's add another control to the untagged.pp, as well as a benchmark that has both of our controls as children:

Now we can run both of our controls via the benchmark:

Benchmarks may also have other benchmarks as children, allowing you to create rich hierarchies of controls. There are many more examples to explore on the Powerpipe Hub!