Control: VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0

Description

This control checks if any security groups allow inbound 0.0.0.0/0 to TCP or UDP ports.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.vpc_security_group_restrict_ingress_tcp_udp_all

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.vpc_security_group_restrict_ingress_tcp_udp_all --share

Steampipe Tables

aws_vpc_security_group

aws_vpc_security_group_rule

SQL

with bad_rules as (
  select
    group_id,
    count(*) as num_bad_rules
  from
    aws_vpc_security_group_rule
  where
    type = 'ingress'
    and cidr_ipv4 = '0.0.0.0/0'
    and (
      ip_protocol in ('tcp', 'udp')
      or (
        ip_protocol = '-1'
        and from_port is null
      )
    )
  group by
    group_id
)
select
  arn as resource,
  case
    when bad_rules.group_id is null then 'ok'
    else 'alarm'
  end as status,
  case
    when bad_rules.group_id is null then sg.group_id || ' does not allow ingress to TCP or UDP ports from 0.0.0.0/0.'
    else sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to TCP or UDP ports from 0.0.0.0/0.'
  end as reason,
  sg.region,
  sg.account_id
from
  aws_vpc_security_group as sg
  left join bad_rules on bad_rules.group_id = sg.group_id;

Control: VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0

Description

Usage

Steampipe Tables

SQL

Tags