Benchmark: 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet
Description
All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content). The set of controls will examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_1_3_4Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_1_3_4 --shareControls
- Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)
- DMS replication instances should not be publicly accessible
- ES domains should be in a VPC
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- RDS DB instances should prohibit public access
- Redshift clusters should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- SageMaker notebook instances should not have direct internet access