Control: 2.5 Ensure the default security list of every VCN restricts all traffic except ICMP
Description
A default security list is created when a Virtual Cloud Network (VCN) is created. Security lists provide stateful filtering of ingress and egress network traffic to OCI resources. It is recommended no security list allows unrestricted ingress access to Secure Shell (SSH) via port 22.
Remediation
From Console
- Login to OCI Console.
- Click on
Networking -> Virtual Cloud Networks
. - For each
VCN
listedClick on Security Lists
. - Click on
Default Security List for <VCN Name>
. - Select the
Ingress Rule
with 'Source 0.0.0.0/0
,IP Protocol 22
andDestination Port Range 22
' - Click
Remove
. - Verify that you want to remove by clicking
Remove
.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v120_2_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v120_2_5 --share
SQL
This control uses a named query:
core_default_security_list_allow_icmp_only