🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-terraform-oci-compliance
Overview
8Dashboards
30Benchmarks
30Queries
2Variables
GitHub

Control: Ensure subnets are not publicly accessible

Description

Public access to a Network's subnet increases resource attack surface and unnecessarily raises the risk of resource compromise. A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy. After you create a network source, you can reference it in policy or in your tenancy's authentication settings to control access based on the originating IP address.

Usage

Run the control in your terminal:

powerpipe control run terraform_oci_compliance.control.vcn_subnet_public_access_blocked

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_oci_compliance.control.vcn_subnet_public_access_blocked --share

SQL

This control uses a named query:

select
  type || ' ' || name as resource,
  case
    when ((attributes_std ->> 'prohibit_public_ip_on_vnic') is not null and
      (attributes_std ->> 'prohibit_public_ip_on_vnic')::boolean)
    then 'ok'
    else 'alarm'
  end as status,
  name || case
    when ((attributes_std ->> 'prohibit_public_ip_on_vnic') is not null and
      (attributes_std ->> 'prohibit_public_ip_on_vnic')::boolean)
    then ' is not publicly accessible'
    else ' is publicly accessible'
  end || '.' reason
  
  , path || ':' || start_line
from
  terraform_resource
where
  type = 'oci_core_subnet';

Tags

category = Compliance
plugin = terraform
service = OCI/VCN