Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-terraform-azure-compliance
Overview
46Dashboards
291Benchmarks
291Queries
2Variables
GitHub

Control: Network Security Groups HTTP Services are restricted from the Internet

Description

Disable Internet exposed HTTP ports on network security groups.

Usage

Run the control in your terminal:

powerpipe control run terraform_azure_compliance.control.network_security_group_http_access_restricted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_azure_compliance.control.network_security_group_http_access_restricted --share

SQL

This control uses a named query:

with nsg_group as (
  select
    distinct address as name
  from
    terraform_resource,
    jsonb_array_elements(
      case jsonb_typeof(attributes_std -> 'security_rule')
        when 'array' then (attributes_std -> 'security_rule')
        when 'object' then jsonb_build_array(attributes_std -> 'security_rule')
        else null end
      ) sg,
    jsonb_array_elements_text(
      case
        when ((sg -> 'destination_port_ranges') != 'null') and jsonb_array_length(sg -> 'destination_port_ranges') > 0 then (sg -> 'destination_port_ranges')
        else jsonb_build_array(sg -> 'destination_port_range')
      end ) as dport,
    jsonb_array_elements_text(
      case
        when ((sg -> 'source_address_prefixes') != 'null') and jsonb_array_length(sg -> 'source_address_prefixes') > 0 then (sg -> 'source_address_prefixes')
        else jsonb_build_array(sg -> 'source_address_prefix')
      end) as sip
  where
    type = 'azurerm_network_security_group'
    and lower(sg ->> 'access') = 'allow'
    and lower(sg ->> 'direction') = 'inbound'
    and (lower(sg ->> 'protocol') ilike 'TCP' or lower(sg ->> 'protocol') = '*')
    and lower(sip) in ('*', '0.0.0.0', '0.0.0.0/0', 'internet', 'any', '<nw>/0', '/0')
    and (
      dport in ('80', '*')
      or (
        dport like '%-%'
        and split_part(dport, '-', 1) :: integer <= 80
        and split_part(dport, '-', 2) :: integer >= 80
      )
    )
)
select
  r.address as resource,
  case
    when g.name is null then 'ok'
    else 'alarm'
  end as status,
  split_part(r.address, '.', 2) || case
    when g.name is null then ' restricts HTTP access from internet'
    else ' allows HTTP access from internet'
  end || '.' reason
  
  , path || ':' || start_line
from
  terraform_resource as r
  left join nsg_group as g on g.name = r.name
where
  type = 'azurerm_network_security_group';

Tags

category = Compliance
plugin = terraform
service = Azure/Network