Benchmark: 4. Limit security groups
Description
Security groups are a key way that you can enable network access to resources you have provisioned on AWS. Ensuring that only the required ports are open and the connection is enabled from known network ranges is a foundational approach to security.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-top-10
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 4. Limit security groups.
Run this benchmark in your terminal:
powerpipe benchmark run aws_top_10.benchmark.account_security_limit_security_groups
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_top_10.benchmark.account_security_limit_security_groups --share
Controls
- EC2 instances should not be attached to 'launch wizard' security groups
- VPC default security group should not allow inbound and outbound traffic
- VPC Security groups should only allow unrestricted incoming traffic for authorized ports
- VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888
- VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to memcached port 11211
- VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to mongoDB ports 27017 and 27018
- VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to oracle ports 1521 or 2483
- VPC security groups should restrict ingress Kafka port access from 0.0.0.0/0
- VPC security groups should restrict ingress redis access from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- Security groups should not allow unrestricted access to ports with high risk