certificate_with_auto_renew_enablediam_access_group_with_public_accessiam_account_owner_no_api_keyiam_restrict_api_key_service_id_creationiam_support_center_access_group_configurediam_user_api_key_age_90iam_user_member_of_only_access_groupiam_user_mfa_enabled_alliam_user_with_valid_emailiam_user_with_valid_phoneinternet_service_ddos_protection_activeinternet_service_tls_higher_version_enabledinternet_service_waf_enabledmanual_controlobject_storage_bucket_with_cmkobject_storage_bucket_with_key_protect_enabledvpc_network_acl_restrict_ingress_rdp_allvpc_network_acl_restrict_ingress_ssh_allvpc_security_group_restrict_ingress_rdp_allvpc_security_group_restrict_ingress_ssh_all
Query: vpc_network_acl_restrict_ingress_ssh_all
Usage
powerpipe query ibm_compliance.query.vpc_network_acl_restrict_ingress_ssh_allSteampipe Tables
SQL
with ingress_ssh_rules as ( select crn, count(id) as num_ssh_rules from ibm_is_network_acl, jsonb_array_elements(rules) as rule where rule ->> 'direction' = 'inbound' and rule ->> 'source' = '0.0.0.0/0' and rule ->> 'action' = 'allow' and ( rule ->> 'protocol' = 'all' or ( (rule ->> 'source_port_min') :: integer <= 22 and (rule ->> 'source_port_max') :: integer >= 22 ) ) group by crn)select acl.crn as resource, case when r.crn is null then 'ok' else 'alarm' end as status, case when r.crn is null then acl.title || ' ingress restricted for SSH from 0.0.0.0/0.' else acl.title || ' contains ' || r.num_ssh_rules || ' ingress rule(s) allowing SSH from 0.0.0.0/0.' end as reason, acl.region, acl.account_idfrom ibm_is_network_acl as acl left join ingress_ssh_rules as r on r.crn = acl.crn;
Controls
The query is being used by the following controls: