Control: 6.2.1 Ensure no VPC access control lists allow ingress from 0.0.0.0/0 to port 22
Description
VPC access control lists filter all incoming and outgoing traffic in IBM Cloud VPC. An ACL is a built-in, virtual firewall where ACL rules control traffic to and from the subnets, rather than to and from the virtual servers. It is recommended that no ACL allows unrestricted ingress access to port 22.
Remediation
From Console
- Login to the IBM Cloud Portal.
- At the Menu icon, select VPC Infrastructure-->Access Control Lists.
- For each security group, perform the following: a. Select the access control list name. b. Identify the Inbound rule to be removed. c. Using the Options icon, select Delete.
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_6_2_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_6_2_1 --shareSQL
This control uses a named query:
with ingress_ssh_rules as ( select crn, count(id) as num_ssh_rules from ibm_is_network_acl, jsonb_array_elements(rules) as rule where rule ->> 'direction' = 'inbound' and rule ->> 'source' = '0.0.0.0/0' and rule ->> 'action' = 'allow' and ( rule ->> 'protocol' = 'all' or ( (rule ->> 'source_port_min') :: integer <= 22 and (rule ->> 'source_port_max') :: integer >= 22 ) ) group by crn)select acl.crn as resource, case when r.crn is null then 'ok' else 'alarm' end as status, case when r.crn is null then acl.title || ' ingress restricted for SSH from 0.0.0.0/0.' else acl.title || ' contains ' || r.num_ssh_rules || ' ingress rule(s) allowing SSH from 0.0.0.0/0.' end as reason, acl.region, acl.account_idfrom ibm_is_network_acl as acl left join ingress_ssh_rules as r on r.crn = acl.crn;