Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
12Dashboards
536Benchmarks
201Queries
2Variables
GitHub

Control: Ensure no open firewall rules allow ingress from 0.0.0.0/0 to any port

Description

Firewall rules provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to any port.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.compute_firewall_rule_restrict_ingress_all

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.compute_firewall_rule_restrict_ingress_all --share

SQL

This control uses a named query:

with ip_protocol_all as (
  select
    distinct name
  from
    gcp_compute_firewall
  where
    direction = 'INGRESS'
    and (
      source_ranges ? & array [ '0.0.0.0/0' ]
      or source_ranges ? & array [ '::0' ]
      or source_ranges ? & array [ '0.0.0.0' ]
      or source_ranges ? & array [ '0.0.0.0/0' ]
      or source_ranges ? & array [ '::/0' ]
      or source_ranges ? & array [ '::' ]
    )
    and allowed @> '[{"IPProtocol":"all"}]'
)
select
  self_link resource,
  case
    when name in (
      select
        name
      from
        ip_protocol_all
    ) then 'alarm'
    else 'ok'
  end as status,
  case
    when name in (
      select
        name
      from
        ip_protocol_all
    ) then title || ' allows ingress from internet to all ports.'
    else title || ' restricts ingress from internet to all ports.'
  end as reason,
  location as location,
  project as project
from
  gcp_compute_firewall;

Tags

category = Compliance
pci_dss_v321 = true
plugin = gcp
service = GCP/Compute