Control: Ensure no open firewall rules allow ingress from 0.0.00/0 to any port

Description

Firewall rules provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to any port.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.compute_firewall_rule_restrict_ingress_all

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.compute_firewall_rule_restrict_ingress_all --share

SQL

This control uses a named query:

with ip_protocol_all as (
  select
   distinct name
  from
    gcp_compute_firewall
  where
    direction = 'INGRESS'
    and (
      source_ranges ?& array['0.0.0.0/0']
      or source_ranges ?& array['::0']
      or source_ranges ?& array['0.0.0.0']
      or source_ranges ?& array['0.0.0.0/0']
      or source_ranges ?& array['::/0']
      or source_ranges ?& array['::']
    )
     and allowed @> '[{"IPProtocol":"all"}]'
  )
select
  self_link resource,
  case
    when name in (select name from ip_protocol_all) then 'alarm'
    else 'ok'
  end as status,
  case
    when name in (select name from ip_protocol_all) then title || ' allows ingress from internet to all ports.'
    else title || ' restricts ingress from internet to all ports.'
  end as reason
  , location as location, project as project
from
  gcp_compute_firewall;

Control: Ensure no open firewall rules allow ingress from 0.0.00/0 to any port

Description

Usage

SQL

Tags