turbot/steampipe-mod-gcp-compliance

Control: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.dnssec_prevent_rsasha1_ksk

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.dnssec_prevent_rsasha1_ksk --share

SQL

This control uses a named query:

select
self_link resource,
case
when visibility = 'private' then 'skip'
when dnssec_config_state is null then 'alarm'
when dnssec_config_default_key_specs @> '[{"keyType": "keySigning", "algorithm": "rsasha1"}]' then 'alarm'
else 'ok'
end as status,
case
when visibility = 'private'
then title || ' is private.'
when dnssec_config_state is null
then title || ' DNSSEC not enabled.'
when dnssec_config_default_key_specs @> '[{"keyType": "keySigning", "algorithm": "rsasha1"}]'
then title || ' using RSASHA1 algorithm for key-signing.'
else title || ' not using RSASHA1 algorithm for key-signing.'
end as reason
, project as project
from
gcp_dns_managed_zone;

Tags