Table: aws_regions

SELECT
  'Ensure that IAM Access analyzer is enabled for all regions (Automated)'
    AS title,
  ar.account_id,
  ar.region AS resource_id,
  CASE
  WHEN ar.enabled
  AND aregion.region IS NULL
  AND aregion.status IS DISTINCT FROM 'ACTIVE'
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_regions AS ar
  LEFT JOIN aws_accessanalyzer_analyzers AS aregion ON
      ar.region = aregion.region;

WITH
  enabled_detector_regions
    AS (
      SELECT
        account_id, region
      FROM
        aws_guardduty_detectors
      WHERE
        status = 'ENABLED'
    )
SELECT
  'GuardDuty should be enabled' AS title,
  r.account_id,
  r.region AS resource_id,
  CASE
  WHEN enabled = true AND e.region IS NULL THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_regions AS r
  LEFT JOIN enabled_detector_regions AS e ON
      e.region = r.region AND e.account_id = r.account_id
UNION
  SELECT
    'GuardDuty should be enabled (detectors)' AS title,
    account_id,
    region AS resource_id,
    CASE
    WHEN data_sources->'S3Logs'->>'Status' != 'ENABLED'
    AND data_sources->'DNSLogs'->>'Status' != 'ENABLED'
    AND data_sources->'CloudTrail'->>'Status' != 'ENABLED'
    AND data_sources->'FlowLogs'->>'Status' != 'ENABLED'
    THEN 'fail'
    ELSE 'pass'
    END
      AS status
  FROM
    aws_guardduty_detectors
  WHERE
    status = 'ENABLED';

WITH
  enabled_securityhub_regions
    AS (SELECT account_id, region FROM aws_securityhub_hubs)
SELECT
  'SecurityHub should be enabled' AS title,
  r.account_id,
  r.region AS resource_id,
  CASE
  WHEN r.enabled = true AND e.region IS NULL THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_regions AS r
  LEFT JOIN enabled_securityhub_regions AS e ON
      e.region = r.region AND e.account_id = r.account_id;