Control: Ensure no open firewall rules allow ingress from 0.0.0.0/0 to any port
Description
Firewall rules provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to any port.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.compute_firewall_rule_restrict_ingress_allSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.compute_firewall_rule_restrict_ingress_all --shareSQL
This control uses a named query:
with ip_protocol_all as ( select distinct name from gcp_compute_firewall where direction = 'INGRESS' and ( source_ranges ?& array['0.0.0.0/0'] or source_ranges ?& array['::0'] or source_ranges ?& array['0.0.0.0'] or source_ranges ?& array['0.0.0.0/0'] or source_ranges ?& array['::/0'] or source_ranges ?& array['::'] ) and allowed @> '[{"IPProtocol":"all"}]' )select self_link resource, case when name in (select name from ip_protocol_all) then 'alarm' else 'ok' end as status, case when name in (select name from ip_protocol_all) then title || ' allows ingress from internet to all ports.' else title || ' restricts ingress from internet to all ports.' end as reason , location as location, project as projectfrom gcp_compute_firewall;