Benchmark: CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries
Description
Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted.
Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.
Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries.
Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.soc_2_cc_6_6Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.soc_2_cc_6_6 --shareControls
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- EMR cluster master nodes should not have public IP addresses
- ES domains should be in a VPC
- GuardDuty should be enabled
- IAM root user hardware MFA should be enabled
- IAM root user MFA should be enabled
- IAM users with console access should have MFA enabled
- IAM user MFA should be enabled
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- SageMaker notebook instances should not have direct internet access
- AWS Security Hub should be enabled for an AWS Account
- VPC default security group should not allow inbound and outbound traffic
- VPC flow logs should be enabled
- VPC internet gateways should be attached to authorized vpc
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0