Control: Ensure the Network default security list of every VCN restricts all traffic except ICMP
Description
A default security list is created when a Virtual Cloud Network (VCN) is created. Security lists provide stateful filtering of ingress and egress network traffic to OCI resources. It is recommended no security list allows unrestricted ingress access to Secure Shell (SSH) via port 22.
Usage
Run the control in your terminal:
powerpipe control run terraform_oci_compliance.control.vcn_default_security_group_allow_icmp_onlySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_oci_compliance.control.vcn_default_security_group_allow_icmp_only --shareSQL
This control uses a named query:
with all_security_rules as ( select * from terraform_resource where type = 'oci_core_security_list'), non_complaint as ( select name, count(name) as count from all_security_rules, jsonb_array_elements( case jsonb_typeof(attributes_std -> 'ingress_security_rules') when 'array' then (attributes_std -> 'ingress_security_rules') else null end ) as p where p ->> 'protocol' != '1' group by name)select a.address as resource, case when b.count > 0 or (a.attributes_std -> 'ingress_security_rules' ->> 'protocol' != '1') then 'alarm' else 'ok' end as status, split_part(a.address, '.', 2) || case when b.count > 0 or (a.attributes_std -> 'ingress_security_rules' ->> 'protocol' != '1') then ' configured with non ICMP ports' else ' configured with ICMP ports only' end || '.' reason , path || ':' || start_linefrom all_security_rules as a left join non_complaint as b on a.name = b.name;