Control: Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 22
Description
Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 22.
Usage
Run the control in your terminal:
powerpipe control run terraform_oci_compliance.control.vcn_network_security_group_restrict_ingress_ssh_allSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_oci_compliance.control.vcn_network_security_group_restrict_ingress_ssh_all --shareSQL
This control uses a named query:
with all_sg_security_rule as ( select * from terraform_resource where type = 'oci_core_network_security_group_security_rule'), all_sg as ( select * from terraform_resource where type = 'oci_core_network_security_group'), non_complaint as ( select attributes_std ->> 'network_security_group_id' as nsg_id, count(*) as count from all_sg_security_rule where attributes_std ->> 'direction' = 'INGRESS' and attributes_std ->> 'source_type' = 'CIDR_BLOCK' and attributes_std ->> 'source' = '0.0.0.0/0' and ( attributes_std ->> 'protocol' = 'all' or ( (attributes_std -> 'tcp_options' -> 'destination_port_range' ->> 'min')::integer <= 22 and (attributes_std -> 'tcp_options' -> 'destination_port_range' ->> 'max')::integer >= 22 ) ) group by nsg_id)select a.address as resource, case when (split_part(b.nsg_id , '.', 2)) is null then 'ok' else 'alarm' end as status, split_part(a.address, '.', 2) || case when (split_part(b.nsg_id , '.', 2)) is null then ' ingress restricted for SSH from 0.0.0.0/0' else ' ingress rule(s) allowing SSH from 0.0.0.0/0' end || '.' reason , path || ':' || start_linefrom all_sg as a left join non_complaint as b on a.name = (split_part(b.nsg_id , '.', 2));