Control: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.dnssec_prevent_rsasha1_ksk
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.dnssec_prevent_rsasha1_ksk --share
SQL
This control uses a named query:
select self_link resource, case when visibility = 'private' then 'skip' when dnssec_config_state is null then 'alarm' when dnssec_config_default_key_specs @> '[{"keyType": "keySigning", "algorithm": "rsasha1"}]' then 'alarm' else 'ok' end as status, case when visibility = 'private' then title || ' is private.' when dnssec_config_state is null then title || ' DNSSEC not enabled.' when dnssec_config_default_key_specs @> '[{"keyType": "keySigning", "algorithm": "rsasha1"}]' then title || ' using RSASHA1 algorithm for key-signing.' else title || ' not using RSASHA1 algorithm for key-signing.' end as reason , project as projectfrom gcp_dns_managed_zone;