Benchmark: BP01 Create network layers
Description
Group components that share sensitivity requirements into layers to minimize the potential scope of impact of unauthorized access. For example, a database cluster in a virtual private cloud (VPC) with no need for internet access should be placed in subnets with no route to or from the internet. Traffic should only flow from the adjacent next least sensitive resource. Consider a web application sitting behind a load balancer. Your database should not be accessible directly from the load balancer. Only the business logic or web server should have direct access to your database.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select BP01 Create network layers.
Run this benchmark in your terminal:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec05_bp01
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec05_bp01 --share
Controls
- ES domains should be in a VPC
- OpenSearch domains should be in a VPC
- EC2 instances should be in a VPC
- Lambda functions should be in a VPC
- AWS Redshift enhanced VPC routing should be enabled
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- API Gateway stage should be associated with waf
- CloudFront distributions should have AWS WAF enabled
- EKS clusters endpoint should restrict public access
- SageMaker models should have network isolation enabled
- SageMaker models should be in a VPC
- SageMaker notebook instances should be in a VPC
- SageMaker training jobs should have network isolation enabled
- SageMaker training jobs should be in VPC