control

Controls provide a defined structure and interface for queries that draw a specific conclusion (e.g. 'OK', 'Alarm') about each row (typically, each row represents a single evaluated 'block'). This pattern is common across multiple control benchmarks (CIS, etc) and unit testing benchmarks (JUnit, NUnit, etc).

Controls use queries to gather data. Controls contain specific metadata and return specific columns with specified values in a specific format.

Example Usage

control "cisv130_2_1_2" {
title = "2.1.2 Ensure S3 Bucket Policy allows HTTPS requests (Manual)"
description = "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS."
documentation = file("docs/cisv130/2_1_2.md")
sql = query.s3_bucket_encryption_in_transit_control.sql
tags = {
cloud_provider = "aws"
framework = "cis"
cis_version = "v1.3.0"
cis_item_id = "1.4"
cis_control = "4.3"
cis_type = "automated"
cis_level = "1"
}
}

You may run a control from the command line:

powerpipe control run cisv130_2_1_2

Controls can be organized into benchmarks. You can run all controls for a benchmark:

powerpipe benchmark run cisv130

Argument Reference

ArgumentTypeOptional?Description
argsMapOptionalA map of arguments to pass to the query. The args argument may only be specified for controls that specify the query argument.
databaseStringOptionalA database connection reference, connection string, or Pipes workspace to query. If not specified, the default database will be used.
descriptionStringOptionalA description of the control.
documentationString (Markdown)OptionalA markdown string containing a long form description, used as documentation for the mod on hub.powerpipe.io.
paramBlockOptionalA param block that defines the parameters that can be passed in to the control's query. param blocks may only be specified for controls that specify the sql argument.
queryQuery ReferenceOptionalA reference to a query resource that defines the control query to run. The referenced query must conform to the control interface - it must return the required control columns. A control must either specify the query argument or the sql argument, but not both.
severityStringOptionalThe potential impact of given control. Allowed values are none,low,medium,high,critical. The severity names are taken from the Common Vulnerability Scoring System version 3.1: Specification Document. This document may be used as guidance for classifying your controls.
--search-pathStringOptionalSet a comma-separated list of connections to use as a custom search path for the query
--search-path-prefixStringOptionalSet a comma-separated list of connections to use as a prefix to the current search path for the query.
sqlStringRequiredAn SQL string that returns rows that conform to the control interface - it must return the required control columns. A control must either specify the query argument or the sql argument, but not both.
tagsMapOptionalA map of key:value metadata for the benchmark, used to categorize, search, and filter. The structure is up to the mod author and varies by benchmark and provider.
titleStringOptionalDisplay title for the control.

Required Control Columns

ALL controls must specify queries that return rows that contain the following standard columns:

ColumnTypeDescription
statusStringThe control status for this row. Only the defined control statuses should be used.
reasonStringA description that details WHY the row has the specified status. The reason should always be set, even if the control is in an 'ok' state. It should be a sentence ending with a period.
resourceStringA unique identifier that identifies the targeted resource for this control check. Ideally, this should be a globally unique identifier such as an arn.
Control Statuses
StatusDescription
okThe control is compliant for the resource/row.
alarmThe control is not compliant for the resource/row, and should be remediated.
skipThis control was not evaluated because Powerpipe was requested to skip it.
infoThis control is not automated. The control may provide instructions to manually verify, and/or may provide additional context.
errorUsed when an error has occurred in calculating the control state.

Additional Control Columns & Dimensions

A control's query MUST return the required columns, but it may also return additional columns. These additional columns are referred to as dimensions and can be used to specify additional provider-specific columns that are included in control reports and outputs to provide additional context. For example, a benchmark that runs controls against AWS resources may specify dimensions for account_id and region to help locate the evaluated resource. The account_id and region columns will be added as dimensions to the control output for any control whose query returns those columns.