Control: VPC firewall rules should restrict ingress TCP and UDP access from 0.0.0.0/0 and ::/0
Description
This control checks whether firewall rules allow inbound TCP or UDP access from 0.0.0.0/0 or ::/0 to prevent unrestricted access to resources.
Usage
Run the control in your terminal:
powerpipe control run gcp_perimeter.control.vpc_firewall_restrict_ingress_tcp_udp_all
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_perimeter.control.vpc_firewall_restrict_ingress_tcp_udp_all --share
Steampipe Tables
SQL
with firewall_tcp_udp as ( select distinct self_link from gcp_compute_firewall, jsonb_array_elements(allowed) as a where direction = 'INGRESS' and ( source_ranges @> '["0.0.0.0/0"]' or source_ranges @> '["::/0"]' ) and ( a ->> 'IPProtocol' in ('tcp', 'udp', 'all') ))select f.self_link as resource, case when p.self_link is null then 'ok' else 'alarm' end as status, case when p.self_link is null then f.title || ' does not allow TCP/UDP access from 0.0.0.0/0 or ::/0.' else f.title || ' allows TCP/UDP access from 0.0.0.0/0 or ::/0.' end as reason , f.location, f.projectfrom gcp_compute_firewall as f left join firewall_tcp_udp as p on p.self_link = f.self_link;