Benchmark: 1.3.6 Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks
Description
If cardholder data is located within the DMZ, it is easier for an external attacker to access this information, since there are fewer layers to penetrate. Securing system components that store cardholder data (such as a database) in an internal network zone that is segregated from the DMZ and other untrusted networks by a firewall can prevent unauthorized network traffic from reaching the system component.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1.3.6 Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_1_3_6Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_1_3_6 --shareControls
- DMS replication instances should not be publicly accessible
- ES domains should be in a VPC
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- SageMaker notebook instances should not have direct internet access