Control: Ensure no open firewall rules allow ingress from 0.0.0.0/0 to any port without any specific target
Description
Firewall rules provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to any port without any specific target.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.compute_firewall_rule_restrict_ingress_all_with_no_specific_targetSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.compute_firewall_rule_restrict_ingress_all_with_no_specific_target --shareSQL
This control uses a named query:
with ip_protocol_all as ( select distinct name from gcp_compute_firewall where direction = 'INGRESS' and ( source_ranges ?& array['0.0.0.0/0'] or source_ranges ?& array['::0'] or source_ranges ?& array['0.0.0.0'] or source_ranges ?& array['0.0.0.0/0'] or source_ranges ?& array['::/0'] or source_ranges ?& array['::'] ) and target_tags is null and allowed is not null and target_service_accounts is null )select self_link resource, case when name in (select name from ip_protocol_all) then 'alarm' else 'ok' end as status, case when name in (select name from ip_protocol_all) then title || ' allows ingress from internet with no specific target.' else title || ' restricts ingress from internet with no specific target.' end as reason , location as location, project as projectfrom gcp_compute_firewall;