Control: 6.2.3 Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 3389
Description
VPC security groups provide stateful filtering of ingress/egress network traffic to Virtual Server Instances. It is recommended that no security group allows unrestricted ingress access to port 3389.
Remediation
From Console
- Login to the IBM Cloud Portal.
- At the Menu icon, select VPC Infrastructure-->Security Groups.
- For each security group, perform the following: a. Select the access control list name. b. Identify the Inbound rule to be removed. c. Using the Options icon, select Delete.
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_6_2_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_6_2_3 --shareSQL
This control uses a named query:
with ingress_rdp_rules as ( select crn, count(id) as num_rdp_rules from ibm_is_security_group, jsonb_array_elements(rules) as rule where rule ->> 'direction' = 'inbound' and rule -> 'remote' ->> 'cidr_block' = '0.0.0.0/0' and ( rule ->> 'protocol' = 'all' or ( (rule ->> 'port_min') :: integer <= 3389 and (rule ->> 'port_max') :: integer >= 3389 ) ) group by crn)select sg.crn as resource, case when r.crn is null then 'ok' else 'alarm' end as status, case when r.crn is null then sg.title || ' ingress restricted for RDP from 0.0.0.0/0.' else sg.title || ' contains ' || r.num_rdp_rules || ' ingress rule(s) allowing RDP from 0.0.0.0/0.' end as reason, sg.region, sg.account_idfrom ibm_is_security_group as sg left join ingress_rdp_rules as r on r.crn = sg.crn;