Control: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
Description
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.vpc_security_group_restrict_ingress_rdp_allSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.vpc_security_group_restrict_ingress_rdp_all --shareSQL
This control uses a named query:
with ingress_rdp_rules as ( select group_id, count(*) as num_rdp_rules from aws_vpc_security_group_rule where type = 'ingress' and cidr_ipv4 = '0.0.0.0/0' and ( ( ip_protocol = '-1' and from_port is null ) or ( from_port <= 3389 and to_port >= 3389 ) ) group by group_id)select arn as resource, case when ingress_rdp_rules.group_id is null then 'ok' else 'alarm' end as status, case when ingress_rdp_rules.group_id is null then sg.group_id || ' ingress restricted for RDP from 0.0.0.0/0.' else sg.group_id || ' contains ' || ingress_rdp_rules.num_rdp_rules || ' ingress rule(s) allowing RDP from 0.0.0.0/0.' end as reason , sg.region, sg.account_idfrom aws_vpc_security_group as sg left join ingress_rdp_rules on ingress_rdp_rules.group_id = sg.group_id;