Control: 6.2.4 Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 22
Description
VPC security groups provide stateful filtering of ingress/egress network traffic to Virtual Servers. It is recommended that no security group allows unrestricted ingress access to port 22.
Remediation
From Console
- Login to the IBM Cloud Portal.
- At the Menu icon, select VPC Infrastructure-->Security Groups.
- For each security group, perform the following: a. Select the security group name. b. Identify the Inbound rule to be removed. c. Using the Options icon, select Delete.
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_6_2_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_6_2_4 --shareSQL
This control uses a named query:
with ingress_ssh_rules as ( select crn, count(id) as num_ssh_rules from ibm_is_security_group, jsonb_array_elements(rules) as rule where rule ->> 'direction' = 'inbound' and rule -> 'remote' ->> 'cidr_block' = '0.0.0.0/0' and ( rule ->> 'protocol' = 'all' or ( (rule ->> 'port_min') :: integer <= 22 and (rule ->> 'port_max') :: integer >= 22 ) ) group by crn)select sg.crn as resource, case when r.crn is null then 'ok' else 'alarm' end as status, case when r.crn is null then sg.title || ' ingress restricted for port 22 from 0.0.0.0/0.' else sg.title || ' contains ' || r.num_ssh_rules || ' ingress rule(s) allowing port 22 from 0.0.0.0/0.' end as reason, sg.region, sg.account_idfrom ibm_is_security_group as sg left join ingress_ssh_rules as r on r.crn = sg.crn;