Benchmark: BP03 Automate network protection
Description
Automate protection mechanisms to provide a self-defending network based on threat intelligence and anomaly detection. For example, intrusion detection and prevention tools that can adapt to current threats and reduce their impact. A web application firewall is an example of where you can automate network protection, for example, by using the AWS WAF Security Automations solution to automatically block requests originating from IP addresses associated with known threat actors.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select BP03 Automate network protection.
Run this benchmark in your terminal:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec05_bp03
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec05_bp03 --share
Controls
- DMS replication instances should not be publicly accessible
- Auto Scaling launch config public IP should be disabled
- Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
- VPC Security groups should only allow unrestricted incoming traffic for authorized ports
- 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress Kafka port access from 0.0.0.0/0
- Security groups should not allow unrestricted access to ports with high risk
- VPC security groups should restrict ingress redis access from 0.0.0.0/0
- WAF global web ACL should have at least one rule or rule group
- WAF global rule group should have at least one rule
- VPC network access control lists (network ACLs) should be associated with a subnet.
- VPC default security group should not allow inbound and outbound traffic
- EC2 instances should not be attached to 'launch wizard' security groups
- Route53 domains privacy protection should be enabled
- Route 53 domains should have transfer lock enabled