standard
turbot/aws_compliance

Trigger: Detect & correct VPC security groups allowing ingress to port 22

Detect security groups that allow ingress to port 22 and then skip or revoke the security group rule.

Query

with ingress_rdp_rules as (
select
group_id,
security_group_rule_id,
ip_protocol,
from_port,
to_port,
coalesce(cidr_ipv4 :: text, '') as cidr_ipv4,
coalesce(cidr_ipv6 :: text, '') as cidr_ipv6,
region,
account_id,
sp_connection_name as conn
from
aws_vpc_security_group_rule
where
type = 'ingress'
and cidr_ipv4 = '0.0.0.0/0'
and (
(
ip_protocol = '-1'
and from_port is null
)
or (
from_port <= 22
and to_port >= 22
)
)
)
select
concat(sg.group_id, ' [', sg.region, '/', sg.account_id, ']') as title,
sg.group_id as group_id,
ingress_rdp_rules.security_group_rule_id as security_group_rule_id,
ingress_rdp_rules.ip_protocol as ip_protocol,
ingress_rdp_rules.from_port as from_port,
ingress_rdp_rules.to_port as to_port,
ingress_rdp_rules.cidr_ipv4 as cidr_ipv4,
ingress_rdp_rules.cidr_ipv6 as cidr_ipv6,
sg.region as region,
sg.sp_connection_name as conn
from
aws_vpc_security_group as sg
left join ingress_rdp_rules on ingress_rdp_rules.group_id = sg.group_id
where
ingress_rdp_rules.group_id is not null;

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/VPC