🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: Ensure SSH is restricted to only IP address that should have this access

Description

Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should identify which IP address need access.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.lightsail_instance_ssh_restricted_ip

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.lightsail_instance_ssh_restricted_ip --share

SQL

This control uses a named query:

with open_ports as (
  select
    name,
    jsonb_array_elements(networking -> 'Ports') as port
  from
    aws_lightsail_instance
),
port_cidrs as (
  select
    op.name,
    (op.port ->> 'FromPort')::int as from_port,
    (op.port ->> 'ToPort')::int as to_port,
    op.port ->> 'Protocol' as protocol,
    jsonb_array_elements_text(op.port -> 'Cidrs') as cidr
  from
    open_ports op
),
unrestricted_ssh_ports as (
  select
    name
  from
    port_cidrs
  where
    from_port = 22
    and to_port = 22
    and protocol = 'tcp'
    and cidr = '0.0.0.0/0'
)
select
  i.name as resource,
  case
    when usp.name is null then 'ok'
    else 'alarm'
  end as status,
  case
    when usp.name is null then i.name || ' has SSH (22) restricted to specific IP addresses.'
    else i.name || ' has SSH (22) open to the world (0.0.0.0/0).'
  end as reason,
  i.tags
from
  aws_lightsail_instance i
  left join unrestricted_ssh_ports usp on i.name = usp.name;

Tags

category = Compliance
plugin = aws
service = AWS/Lightsail