turbot/steampipe-mod-gcp-perimeter

Control: VPC firewall rules should restrict ingress TCP and UDP access from 0.0.0.0/0 and ::/0

Description

This control checks whether firewall rules allow inbound TCP or UDP access from 0.0.0.0/0 or ::/0 to prevent unrestricted access to resources.

Usage

Run the control in your terminal:

powerpipe control run gcp_perimeter.control.vpc_firewall_restrict_ingress_tcp_udp_all

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_perimeter.control.vpc_firewall_restrict_ingress_tcp_udp_all --share

Steampipe Tables

SQL

with firewall_tcp_udp as (
select
distinct self_link
from
gcp_compute_firewall,
jsonb_array_elements(allowed) as a
where
direction = 'INGRESS'
and (
source_ranges @> '["0.0.0.0/0"]'
or source_ranges @> '["::/0"]'
)
and (
a ->> 'IPProtocol' in ('tcp', 'udp', 'all')
)
)
select
f.self_link as resource,
case
when p.self_link is null then 'ok'
else 'alarm'
end as status,
case
when p.self_link is null then f.title || ' does not allow TCP/UDP access from 0.0.0.0/0 or ::/0.'
else f.title || ' allows TCP/UDP access from 0.0.0.0/0 or ::/0.'
end as reason
, f.location, f.project
from
gcp_compute_firewall as f
left join firewall_tcp_udp as p on p.self_link = f.self_link;

Tags