Control: Network ACL should not allow unrestricted FTP port 20 access
Description
This control checks whether the Network ACL allows unrestricted ingress on FTP port 20.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.vpc_network_acl_allow_ftp_port_20_ingressSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.vpc_network_acl_allow_ftp_port_20_ingress --shareSQL
This control uses a named query:
with rules as ( select distinct address as name from terraform_resource, jsonb_array_elements( case jsonb_typeof(attributes_std -> 'ingress') when 'array' then (attributes_std -> 'ingress') else jsonb_build_array(attributes_std -> 'ingress') end ) ingress where type = 'aws_network_acl' and ingress is not null and (ingress ->> 'cidr_block' = '0.0.0.0/0' or ingress ->> 'ipv6_cidr_block' = '::/0') and ingress ->> 'action' = 'allow' and ( ingress ->> 'protocol' = '-1' or (ingress ->> 'from_port') :: integer >= 20 or (ingress ->> 'to_port') :: integer <= 20 ))select r.address as resource, case when g.name is null then 'ok' else 'alarm' end as status, split_part(r.address, '.', 2) || case when g.name is null then ' restricts FTP data port 20 access from the internet' else ' allows FTP data port 20 access from the internet' end || '.' reason , path || ':' || start_linefrom terraform_resource as r left join rules as g on g.name = r.addresswhere type = 'aws_network_acl';