Control: Check for open firewall rules allowing SSH from the internet
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.restrict_firewall_rule_ssh_world_openSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.restrict_firewall_rule_ssh_world_open --shareSQL
This control uses a named query:
with ip_protocol_all as (select namefrom gcp_compute_firewallwhere direction = 'INGRESS' and action = 'Allow' and source_ranges ?& array['0.0.0.0/0'] and (allowed @> '[{"IPProtocol":"all"}]' or allowed::text like '%!{"IPProtocol": "tcp"}%')),ip_protocol_tcp as ( select name from gcp_compute_firewall, jsonb_array_elements(allowed) as p, jsonb_array_elements_text(p -> 'ports') as port where direction = 'INGRESS' and action = 'Allow' and source_ranges ?& array['0.0.0.0/0'] and p ->> 'IPProtocol' = 'tcp' and ( port = '22' or ( port like '%-%' and split_part(port, '-', 1) :: integer <= 22 and split_part(port, '-', 2) :: integer >= 22 ) ))select self_link resource, case when name in (select name from ip_protocol_tcp) then 'alarm' when name in (select name from ip_protocol_all) then 'alarm' else 'ok' end as status, case when name in (select name from ip_protocol_tcp) or name in (select name from ip_protocol_all) then title || ' allows SSH access from internet.' else title || ' restricts SSH access from internet.' end as reason , location as location, project as projectfrom gcp_compute_firewall;