Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
14Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 9200 or 9300

Description

Firewall rules provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to TCP port 9200 or 9300.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.compute_firewall_rule_ingress_access_restricted_to_tcp_port_9200_9300

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.compute_firewall_rule_ingress_access_restricted_to_tcp_port_9200_9300 --share

SQL

This control uses a named query:

with ip_protocol_all as (
  select
    name
  from
    gcp_compute_firewall
  where
    direction = 'INGRESS'
    and action = 'Allow'
    and (
      source_ranges ?& array['0.0.0.0/0']
      or source_ranges ?& array['::0']
      or source_ranges ?& array['0.0.0.0']
      or source_ranges ?& array['::/0']
      or source_ranges ?& array['::']
    )
    and (
      allowed @> '[{"IPProtocol":"all"}]'
      or (allowed @> '[{"IPProtocol":"tcp"}]' and allowed -> 0 -> 'ports' is null)
    )
),
ip_protocol_tcp_udp as (
  select
    name
  from
    gcp_compute_firewall,
    jsonb_array_elements(allowed) as p,
    jsonb_array_elements_text(p -> 'ports') as port
  where
    direction = 'INGRESS'
    and action = 'Allow'
    and (
      source_ranges ?& array['0.0.0.0/0']
      or source_ranges ?& array['::0']
      or source_ranges ?& array['0.0.0.0']
      or source_ranges ?& array['::/0']
      or source_ranges ?& array['::']
    )
    and (p ->> 'IPProtocol' = 'tcp')
    and (
      port = '9200'
      or port = '9300'
      or (
        port like '%-%'
        and (
          (split_part(port, '-', 1) :: integer <= 9200 and split_part(port, '-', 2) :: integer >= 9200)
          or (split_part(port, '-', 1) :: integer <= 9300 and split_part(port, '-', 2) :: integer >= 9300)
        )
      )
    )
)
select
  self_link resource,
  case
    when name in (select name from ip_protocol_tcp_udp) then 'alarm'
    when name in (select name from ip_protocol_all) then 'alarm'
    else 'ok'
  end as status,
  case
    when name in (select name from ip_protocol_tcp_udp) or name in (select name from ip_protocol_all)
      then title || ' allows access from internet to TCP port 9200 or 9300.'
    else title || ' restricts access from internet to TCP port 9200 or 9300.'
  end as reason
  , location as location, project as project
from
  gcp_compute_firewall;

Tags

category = Compliance
nist_csf_v2 = true
pci_dss_v321 = true
plugin = gcp
service = GCP/Compute