Control: Ensure no open firewall rules allow ingress from 0.0.00/0 to any port without any specific target

Description

Firewall rules provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to any port without any specific target.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.compute_firewall_rule_restrict_ingress_all_with_no_specific_target

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.compute_firewall_rule_restrict_ingress_all_with_no_specific_target --share

SQL

This control uses a named query:

with ip_protocol_all as (
  select
   distinct name
  from
    gcp_compute_firewall
  where
    direction = 'INGRESS'
    and (
      source_ranges ?& array['0.0.0.0/0']
      or source_ranges ?& array['::0']
      or source_ranges ?& array['0.0.0.0']
      or source_ranges ?& array['0.0.0.0/0']
      or source_ranges ?& array['::/0']
      or source_ranges ?& array['::']
    )
    and target_tags is null
    and allowed is not null
    and target_service_accounts is null
  )
select
  self_link resource,
  case
    when name in (select name from ip_protocol_all) then 'alarm'
    else 'ok'
  end as status,
  case
    when name in (select name from ip_protocol_all) then title || ' allows ingress from internet with no specific target.'
    else title || ' restricts ingress from internet with no specific target.'
  end as reason
  , location as location, project as project
from
  gcp_compute_firewall;

Control: Ensure no open firewall rules allow ingress from 0.0.00/0 to any port without any specific target

Description

Usage

SQL

Tags