Benchmark: 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ
Description
The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and services that an organization needs to have available to the public (like a web server). This functionality is intended to prevent malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner. The set of controls will limit inbound Internet traffic to IP addresses within the DMZ.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_1_3_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_1_3_2 --shareControls
- Auto Scaling launch config public IP should be disabled
- DMS replication instances should not be publicly accessible
- ES domains should be in a VPC
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- RDS DB instances should prohibit public access
- Redshift clusters should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- SageMaker notebook instances should not have direct internet access
- VPC internet gateways should be attached to authorized vpc
- Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
- VPC route table should restrict public access to IGW
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0