v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_perimeter
Overview
3Dashboards
62Controls
0Queries
5Variables
GitHub

Control: VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0

Description

This control checks if any security groups allow inbound 0.0.0.0/0 or ::/0 to ports 20, 21, 22, 3306, 3389, 4333.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.vpc_security_group_restrict_ingress_common_ports_all

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.vpc_security_group_restrict_ingress_common_ports_all --share

Steampipe Tables

aws_vpc_security_group
aws_vpc_security_group_rule
Amazon Web Services plugin

SQL

with ingress_ssh_rules as (
  select
    group_id,
    count(*) as num_ssh_rules
  from
    aws_vpc_security_group_rule
  where
    type = 'ingress'
    and (
      cidr_ipv4 = '0.0.0.0/0'
      or cidr_ipv6 = '::/0'
    )
    and (
    ( ip_protocol = '-1'
      and from_port is null
      )
      or (
        from_port >= 22
        and to_port <= 22
      )
      or (
        from_port >= 3389
        and to_port <= 3389
      )
      or (
        from_port >= 21
        and to_port <= 21
      )
      or (
        from_port >= 20
        and to_port <= 20
      )
      or (
        from_port >= 3306
        and to_port <= 3306
      )
      or (
        from_port >= 4333
        and to_port <= 4333
      )
      or (
        from_port >= 23
        and to_port <= 23
      )
      or (
        from_port >= 25
        and to_port <= 25
      )
      or (
        from_port >= 445
        and to_port <= 445
      )
      or (
        from_port >= 110
        and to_port <= 110
      )
      or (
        from_port >= 135
        and to_port <= 135
      )
      or (
        from_port >= 143
        and to_port <= 143
      )
      or (
        from_port >= 1433
        and to_port <= 3389
      )
      or (
        from_port >= 3389
        and to_port <= 1434
      )
      or (
        from_port >= 5432
        and to_port <= 5432
      )
      or (
        from_port >= 5500
        and to_port <= 5500
      )
      or (
        from_port >= 5601
        and to_port <= 5601
      )
      or (
        from_port >= 9200
        and to_port <= 9300
      )
      or (
        from_port >= 8080
        and to_port <= 8080
      )
  )
  group by
    group_id
)
select
  arn as resource,
  case
    when ingress_ssh_rules.group_id is null then 'ok'
    else 'alarm'
  end as status,
  case
    when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for common ports from 0.0.0.0/0 and ::/0.'
    else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for common ports from 0.0.0.0/0 and ::/0.'
  end as reason
  
  , sg.region, sg.account_id
from
  aws_vpc_security_group as sg
  left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id;

Tags

category = Perimeter
plugin = aws
service = AWS/VPC