Control: VPC security groups should restrict ingress SSH access from 0.0.0.0/0
Description
AWS Elastic Compute Cloud (AWS EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted SSH access from 0.0.0.0/0.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.vpc_security_group_restrict_ingress_ssh_allSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.vpc_security_group_restrict_ingress_ssh_all --shareSQL
This control uses a named query:
with rules as ( select distinct name, count(*) as num_ssh_rules from terraform_resource, jsonb_array_elements( case jsonb_typeof(arguments -> 'ingress') when 'array' then (arguments -> 'ingress') else jsonb_build_array(arguments -> 'ingress') end ) ingress where type = 'aws_security_group' and ingress is not null and ( (ingress -> 'cidr_blocks') @> '["0.0.0.0/0"]' or (ingress -> 'ipv6_cidr_blocks') @> '["::/0"]' or (ingress -> 'ipv6_cidr_blocks') @> '["0000:0000:0000:0000:0000:0000:0000:0000/0"]' ) and ( ingress ->> 'protocol' = '-1' or ( (ingress ->> 'from_port') :: integer >= 22 and (ingress ->> 'to_port') :: integer <= 22 ) ) group by name)select type || ' ' || r.name as resource, case when g.name is null then 'ok' else 'alarm' end as status, r.name || case when g.name is null then ' ingress restricted for SSH from 0.0.0.0/0' else ' contains ' || g.num_ssh_rules || ' ingress rule(s) allowing SSH from 0.0.0.0/0' end || '.' reason , path || ':' || start_linefrom terraform_resource as r left join rules as g on g.name = r.namewhere type = 'aws_security_group';