Benchmark: 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems
Description
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nist_800_171_rev_2_3_13_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nist_800_171_rev_2_3_13_1 --share
Controls
- ACM certificates should not expire within 30 days
- API Gateway stage logging should be enabled
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- At least one enabled trail should be present in a region
- CloudTrail trail log file validation should be enabled
- EC2 instances should be in a VPC
- ELB application and classic load balancer logging should be enabled
- ELB application load balancers should be drop HTTP headers
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- ELB classic load balancers should use SSL certificates
- ELB classic load balancers should only use SSL or HTTPS listeners
- ES domains should be in a VPC
- GuardDuty should be enabled
- Lambda functions should be in a VPC
- OpenSearch domains should be in a VPC
- Database logging should be enabled
- RDS DB instances should prohibit public access
- Redshift cluster encryption in transit should be enabled
- AWS Redshift enhanced VPC routing should be enabled
- Redshift clusters should prohibit public access
- S3 buckets should enforce SSL
- S3 bucket logging should be enabled
- S3 public access should be blocked at bucket levels
- AWS Security Hub should be enabled for an AWS Account
- SSM documents should not be public
- VPC flow logs should be enabled
- VPC route table should restrict public access to IGW
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)