Control: ELB classic load balancers should have at least one inbound rule
Description
Ensure classic load balancer have at least one inbound rule in all the attached security groups.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.elb_classic_lb_with_inbound_ruleSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.elb_classic_lb_with_inbound_rule --shareSQL
This control uses a named query:
with sg_with_inbound as ( select arn, sg from aws_ec2_classic_load_balancer, jsonb_array_elements_text(security_groups) as sg left join aws_vpc_security_group_rule as sgr on sg = sgr.group_id where sgr.type = 'ingress' group by sg, arn), classic_lb_without_inbound as ( select distinct arn from aws_ec2_classic_load_balancer, jsonb_array_elements_text(security_groups) as s where s not in ( select sg from sg_with_inbound))select distinct c.arn as resource, case when c.security_groups is null then 'alarm' when i.arn is not null then 'alarm' else 'ok' end as status, case when c.security_groups is null then c.title || ' does not have security group attached.' when i.arn is not null then c.title || ' all attached security groups do not have inbound rule(s).' else c.title || ' all attached security groups have inbound rule(s).' end as reason , c.region, c.account_idfrom aws_ec2_classic_load_balancer as c left join classic_lb_without_inbound as i on c.arn = i.arn;