Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
12Dashboards
536Benchmarks
201Queries
2Variables
GitHub

Control: Ensure Instance IP assignment is set to private

Description

Instance addresses can be public IP or private IP. Public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC).

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.sql_instance_not_publicly_accessible

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.sql_instance_not_publicly_accessible --share

SQL

This control uses a named query:

select
  self_link as resource,
  case
    when (ip_addresses @> '[{"type": "PRIVATE"}]' and ip_configuration ->> 'privateNetwork' is not null) and not (ip_addresses @> '[{"type": "PRIMARY"}]') then 'ok'
    else 'alarm'
  end as status,
  case
    when (ip_addresses @> '[{"type": "PRIVATE"}]' and ip_configuration ->> 'privateNetwork' is not null) and not (ip_addresses @> '[{"type": "PRIMARY"}]') then title || ' not publicly accessible.'
    else title || ' publicly accessible.'
  end as reason
    
    , location as location, project as project
from
  gcp_sql_database_instance;

Tags

category = Compliance
nist_csf_v10 = true
pci_dss_v321 = true
plugin = gcp
service = GCP/SQL
soc_2_2017 = true