Benchmark: BP07 Analyze public and cross-account access
Description
Continually monitor findings that highlight public and cross-account access. Reduce public access and cross-account access to only the specific resources that require this access. Know which of your AWS resources are shared and with whom. Continually monitor and audit your shared resources to verify they are shared with only authorized principals.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select BP07 Analyze public and cross-account access.
Run this benchmark in your terminal:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec03_bp07
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec03_bp07 --share
Controls
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- EC2 instances should not have a public IP address
- ES domains should be in a VPC
- OpenSearch domains should be in a VPC
- EMR cluster master nodes should not have public IP addresses
- EMR public access should be blocked at account level
- EC2 instances should be in a VPC
- Lambda functions should restrict public access
- Lambda functions should be in a VPC
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- KMS CMK policies should prohibit public access
- Redshift clusters should prohibit public access
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public write access
- SageMaker notebook instances should not have direct internet access
- Secrets Manager secrets that have not been used in 90 days should be removed
- Auto Scaling launch config public IP should be disabled
- Ensure the S3 bucket CloudTrail logs to is not publicly accessible
- ECR repositories should prohibit public access
- EKS clusters endpoint should restrict public access
- ELB load balancers should prohibit public access
- S3 public access should be blocked at account level
- SNS topic policies should prohibit public access
- SQS queue policies should prohibit public access
- SSM documents should not be public