Control: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
Description
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.vpc_security_group_restrict_ingress_rdp_allSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.vpc_security_group_restrict_ingress_rdp_all --shareSQL
This control uses a named query:
with rules as ( select distinct name, count(*) as num_rdp_rules from terraform_resource, jsonb_array_elements( case jsonb_typeof(arguments -> 'ingress') when 'array' then (arguments -> 'ingress') else jsonb_build_array(arguments -> 'ingress') end ) ingress where type = 'aws_security_group' and ingress is not null and ( (ingress -> 'cidr_blocks') @> '["0.0.0.0/0"]' or (ingress -> 'ipv6_cidr_blocks') @> '["::/0"]' or (ingress -> 'ipv6_cidr_blocks') @> '["0000:0000:0000:0000:0000:0000:0000:0000/0"]' ) and ( ingress ->> 'protocol' = '-1' or ( (ingress ->> 'from_port') :: integer >= 3389 and (ingress ->> 'to_port') :: integer <= 3389 ) ) group by name)select type || ' ' || r.name as resource, case when g.name is null then 'ok' else 'alarm' end as status, r.name || case when g.name is null then ' ingress restricted for RDP from 0.0.0.0/0' else ' contains ' || g.num_rdp_rules || ' ingress rule(s) allowing RDP from 0.0.0.0/0' end || '.' reason , path || ':' || start_linefrom terraform_resource as r left join rules as g on g.name = r.namewhere type = 'aws_security_group';