standard
turbot/aws_compliance

Trigger: Detect & correct VPC Security groups allowing ingress to remote server administration ports IPv4

Detect VPC Security group rules that allow ingress from 0.0.0.0/0 or ::/0 to remote server administration ports IPv4 and then skip or revoke the security security group rules.

Query

with bad_rules as (
select
group_id,
security_group_rule_id,
ip_protocol,
from_port,
to_port,
coalesce(cidr_ipv4 :: text, '') as cidr_ipv4,
coalesce(cidr_ipv6 :: text, '') as cidr_ipv6,
region,
account_id,
sp_connection_name as conn
from
aws_vpc_security_group_rule
where
type = 'ingress'
and (cidr_ipv4 = '0.0.0.0/0')
and (
(
ip_protocol = '-1' -- all traffic
and from_port is null
)
or (
from_port <= 22
and to_port >= 22
)
or (
from_port <= 3389
and to_port >= 3389
)
)
),
security_groups as (
select
arn,
region,
account_id,
group_id,
sp_connection_name
from
aws_vpc_security_group
order by
group_id
)
select
concat(sg.group_id, ' [', sg.account_id, '/', sg.region, ']') as title,
sg.group_id as group_id,
bad_rules.security_group_rule_id as security_group_rule_id,
bad_rules.ip_protocol as ip_protocol,
bad_rules.from_port as from_port,
bad_rules.to_port as to_port,
bad_rules.cidr_ipv4 as cidr_ipv4,
bad_rules.cidr_ipv6 as cidr_ipv6,
sg.region as region,
sg.sp_connection_name as conn
from
security_groups as sg
left join bad_rules on bad_rules.group_id = sg.group_id
where
bad_rules.group_id is not null;

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/VPC